Skip to content

Error downloading packs with corporate certificate in chain #13132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
revblock opened this issue May 11, 2023 · 9 comments
Open

Error downloading packs with corporate certificate in chain #13132

revblock opened this issue May 11, 2023 · 9 comments
Assignees
@aeisenberg
Labels
question Further information is requested

Comments

@revblock
Copy link

When I try to run codeql pack download ... I get the following error.

> codeql pack download codeql/javascript-queries

Package specifications to check for download: codeql/javascript-queries
A fatal error occurred: Could not create access credentials for codeql/javascript-queries.
(eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")

This is on a computer that has a self signed certificate in the chain. For most of the tools I use there's a way to include these certificates with an environment variable or enable it to pick up the configuration with the certificate installed. I can't figure out a way to do that in this case though.

A lot of the examples online are specific to fixing this issue for JRE/JDK which I don't have, I'm just running the codeql mac os binary.

Thanks,
@revblock revblock added the question Further information is requested label May 11, 2023
@revblock revblock changed the title Error download packs with corporate certificate chain Error downloading packs with corporate certificate in chain May 11, 2023
@aeisenberg aeisenberg self-assigned this May 11, 2023
@aeisenberg
Copy link
Contributor

Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at codeql/tools/osx64/java.

It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.

@aeisenberg
Copy link
Contributor

aeisenberg commented May 11, 2023
edited
Loading

Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors

You can get more info on what precisely is going wrong by enabling SSL debug logging:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

@revblock
Copy link
Author

revblock commented Aug 4, 2023

Sorry for the slow reply.

Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at codeql/tools/osx64/java.

It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.

Yes I'm running it locally.

Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors

You can get more info on what precisely is going wrong by enabling SSL debug logging: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

I tried to do this before but since I don't have any Java tooling installed I don't have a $JAVA_HOME env variable and therefore no keystore with that value so I'm not sure how I would add the certificate for it.

@aeisenberg
Copy link
Contributor

You can try setting JAVA_HOME to ....../codeql/tools/osx64/java. And note that you will need to re-add the cert each time you upgrade your codeql versions.

@ghost
Copy link

ghost commented Oct 13, 2023
edited by ghost
Loading

Facing same issue with Windows Local machine. Here I am trying to install/download cpp/queries packages.

codeql pack download codeql/cpp-queries

Package installation location: C:\Users\shravan.codeql\packages
A fatal error occurred: Could not create access credentials for codeql/cpp-queries.
(eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")

Can anyone please help me on this?

@aeisenberg
Copy link
Contributor

There's not much more I can suggest other than going through the steps above. Please confirm to me that you've tried them.

@icearea
Copy link

icearea commented Aug 1, 2024 

echo | openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > ghcr-certificates.pem
keytool -import -alias ghcr -keystore "<codeql-home>/codeql/tools/osx64/java/lib/security/cacerts" -file ghcr-certificates.pem

@proitcon
Copy link

proitcon commented May 5, 2025
edited
Loading

I have the same problem but on Windows on one machine at a customer. I tried to use the keytool as mentioned above to import the pem file but the error persists.

Is there a way to download and install these packages manually?

@aeisenberg
Copy link
Contributor

@proitcon, this is an old issue. Can you please open a new one and someone on our team can help you? Include the error messages and things you have tried already.

@proitcon proitcon mentioned this issue May 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeisenberg aeisenberg

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aeisenberg @icearea @proitcon @revblock