I have a simple Clojure 1.9 project.
It was configured with a minimal .travis.yml
.
language: clojure
lein: 2.8.1
jdk:
- openjdk8
- openjdk9
- oraclejdk8
- oraclejdk9
The builds for OpenJDK 8, OracleJDK 8 and OracleJDK 9 succeeded. However, it failed for OpenJDK 9 in the lein deps
stage.
Five artifacts cannot to be retrieved from Clojars. They are clojure-complete
, clj-http
, pedestal.service
, pedestal.jetty
and pedestal.service-tools
.
It seems to be some issues related to certificates. I have included some of the logs below.
Could not find artifact clojure-complete:clojure-complete:jar:0.2.4 in central (https://repo1.maven.org/maven2/)
Could not transfer artifact clojure-complete:clojure-complete:jar:0.2.4 from/to clojars (https://repo.clojars.org/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Could not transfer artifact clojure-complete:clojure-complete:pom:0.2.4 from/to clojars (https://repo.clojars.org/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
This could be due to a typo in :dependencies, file system permissions, or network issues.
If you are behind a proxy, try setting the 'http_proxy' environment variable.
Thanks!
There were discussions in the Travis CI issue tracker[1] and the clojurians Slack.
The cause is that OpenJDK 9 doesn't ship with the certificates that signed the Clojars' certificate.
Christian Stein mentioned that Travis CI will always provide an unpatched JDK installation. User will need to symlink the system CA certificates if necessary (Original words).
This is the updated minimal Travis CI configurations.
It involved manually symlinking the system CA certs in the before_install
stage.
language: clojure
lein: 2.8.1
jdk:
- openjdk8
- oraclejdk8
- oraclejdk9
matrix:
include:
- jdk: openjdk9
before_install:
- rm "${JAVA_HOME}/lib/security/cacerts"
- ln -s /etc/ssl/certs/java/cacerts "${JAVA_HOME}/lib/security/cacerts"
Alternatively, you can do the JDK installation with a custom matrix as well.
All OpenJDK versions installed with jdk_install.sh
by Travis do not patch the certificates. Thus, you will encounter the same problem for OpenJDK 10 and 11 as well.
You can reduce the boilerplate for those SDK versions with smartly placed YAML anchor as the example below.
matrix:
include:
- jdk: openjdk9
before_install: &fix_certs
- rm "${JAVA_HOME}/lib/security/cacerts"
- ln -s /etc/ssl/certs/java/cacerts "${JAVA_HOME}/lib/security/cacerts"
- jdk: openjdk10
before_install: *fix_certs
- jdk: openjdk11
before_install: *fix_certs