Bazel remote cache SSLEngine closed already #6551
Comments
|
Hey Sevik, you seem to be using Bazel from an unofficial package. Can you please try with an official Bazel release? Bazel doesn't ship with a truststore but uses what's provided by it's JVM. Presumably arch linux ships its own JVM and truststore? Thanks! |
|
I tried using it with the oficial deb too. |
|
Thanks @sevki. Apparently, the OpenJDK did a major overhaul of trusted CAs with the release of JDK10 and this list seems to also include DigiCert: http://openjdk.java.net/jeps/319. So once we upgrade Bazel's JDK to JDK10 this should solve your issues. You can do that already by specifying the --server_javabase and pointing it to a JDK10 folder. |
|
@sevki I just talked to people responsible for updating Bazel's JDK to 10. The plan is to do that in Bazel 0.22. There are a few changes that need to happen before we can safely update to JDK10, most importantly the decoupling of Bazel's JDK and javac's JDK. After 0.22 we will be able to update to new JDKs as their are released. |
|
thanks @buchgr for the response. openjdk-10 seems to break bazel. it gets stuck somewhere in analysis stage |
|
sorry doesn't break it, it's just less verbose with git |
|
also openjdk-10 doesn't seem to fix the issue. still getting |
|
Here is what I've tried and this problem still persists;
nothing helped |
|
I've tried this, with the both openjdk-8 and openjdk-10 and both worked no problem. bazel is still failing when I change the |
|
@buchgr so this does not seem to be a problem with the truststore but rather a problem with the http client that bazel uses, which does not seem to support SNI |
|
attached is the pcap
|
|
Thanks for debugging this @sevki! So we'll need to add SNI support to it. This should actually be a one liner: Instead of call Do you want to take a stab at it? :-) |
|
Yeah sure 😄 |
this change adds host and port parameters to SSL connection contrcutor with out which the blobstore download client cannot talk to endpoints sharing SSL certificates. Fixes bazelbuild#6551
Description of the problem / feature request:
bazel fails reading/writing to remote-cache
the certificate is valid, and issued by DigiCert, it uses
TLS 1.2andECDSA. The certificate is able to be verified with every up to date browser.Feature requests: what underlying problem are you trying to solve with this feature?
Ship bazel with a more up to date trust store or provide a simpler way to use one
As the homogeny of operating systems becoming more and more prevalent, what would be great is if bazel just worked™. It would be a major pain if we'd have to go and package it for debian, archlinux, fedora, macos, windows and so on...
Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.
bazel build --remote_http_cache=https://cache.sevki.net/ ....I've deployed this as an example, I'm not using this in production or anything, just wanted to share this as a quick repro step.
What operating system are you running Bazel on?
Linux 4.18.16-arch1-1-ARCHWhat's the output of
bazel info release?release 0.19.0- (@non-git)If
bazel info releasereturns "development version" or "(@Non-Git)", tell us how you built Bazel.pacman -S bazelHave you found anything relevant by searching the web?
The text was updated successfully, but these errors were encountered: