clojuretravis-cileiningenclojars

Clojure build failed on Travis CI with OpenJDK 9 during lein deps


Background

I have a simple Clojure 1.9 project.

It was configured with a minimal .travis.yml.

language: clojure
lein: 2.8.1

jdk:
- openjdk8
- openjdk9
- oraclejdk8
- oraclejdk9

Travis CI

The builds for OpenJDK 8, OracleJDK 8 and OracleJDK 9 succeeded. However, it failed for OpenJDK 9 in the lein deps stage.

Five artifacts cannot to be retrieved from Clojars. They are clojure-complete, clj-http, pedestal.service, pedestal.jetty and pedestal.service-tools.

It seems to be some issues related to certificates. I have included some of the logs below.

Could not find artifact clojure-complete:clojure-complete:jar:0.2.4 in central (https://repo1.maven.org/maven2/)
Could not transfer artifact clojure-complete:clojure-complete:jar:0.2.4 from/to clojars (https://repo.clojars.org/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Could not transfer artifact clojure-complete:clojure-complete:pom:0.2.4 from/to clojars (https://repo.clojars.org/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
This could be due to a typo in :dependencies, file system permissions, or network issues.
If you are behind a proxy, try setting the 'http_proxy' environment variable.

Questions

  1. Why it happened to OpenJDK9 builds only?
  2. Is it a bug for Travis CI or my configurations?
  3. How can I fix it?

Thanks!


Solution

  • There were discussions in the Travis CI issue tracker[1] and the clojurians Slack.

    The cause is that OpenJDK 9 doesn't ship with the certificates that signed the Clojars' certificate.

    Christian Stein mentioned that Travis CI will always provide an unpatched JDK installation. User will need to symlink the system CA certificates if necessary (Original words).

    Solution

    This is the updated minimal Travis CI configurations.

    It involved manually symlinking the system CA certs in the before_install stage.

    language: clojure
    lein: 2.8.1
    
    jdk:
      - openjdk8
      - oraclejdk8
      - oraclejdk9
    
    matrix:
      include:
        - jdk: openjdk9
          before_install:
            - rm "${JAVA_HOME}/lib/security/cacerts"
            - ln -s /etc/ssl/certs/java/cacerts "${JAVA_HOME}/lib/security/cacerts"
    

    Other solutions

    Alternatively, you can do the JDK installation with a custom matrix as well.

    Updates for OpenJDK 10 and 11

    All OpenJDK versions installed with jdk_install.sh by Travis do not patch the certificates. Thus, you will encounter the same problem for OpenJDK 10 and 11 as well.

    You can reduce the boilerplate for those SDK versions with smartly placed YAML anchor as the example below.

    matrix:
      include:
    - jdk: openjdk9
      before_install: &fix_certs
        - rm "${JAVA_HOME}/lib/security/cacerts"
        - ln -s /etc/ssl/certs/java/cacerts "${JAVA_HOME}/lib/security/cacerts"
    - jdk: openjdk10
      before_install: *fix_certs
    - jdk: openjdk11
      before_install: *fix_certs