Error downloading packs with corporate certificate in chain

[revblock]

When I try to run codeql pack download ... I get the following error.

> codeql pack download codeql/javascript-queries

Package specifications to check for download: codeql/javascript-queries
A fatal error occurred: Could not create access credentials for codeql/javascript-queries.
(eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")

This is on a computer that has a self signed certificate in the chain. For most of the tools I use there's a way to include these certificates with an environment variable or enable it to pick up the configuration with the certificate installed. I can't figure out a way to do that in this case though.

A lot of the examples online are specific to fixing this issue for JRE/JDK which I don't have, I'm just running the codeql mac os binary.

Thanks,

[aeisenberg]

Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at codeql/tools/osx64/java.

It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.

[aeisenberg]

Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors

You can get more info on what precisely is going wrong by enabling SSL debug logging:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

[revblock]

Sorry for the slow reply.

Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at codeql/tools/osx64/java.

It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.

Yes I'm running it locally.

Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors

You can get more info on what precisely is going wrong by enabling SSL debug logging: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

I tried to do this before but since I don't have any Java tooling installed I don't have a $JAVA_HOME env variable and therefore no keystore with that value so I'm not sure how I would add the certificate for it.

[aeisenberg]

You can try setting JAVA_HOME to ....../codeql/tools/osx64/java. And note that you will need to re-add the cert each time you upgrade your codeql versions.

[ghost]

Facing same issue with Windows Local machine. Here I am trying to install/download cpp/queries packages.

codeql pack download codeql/cpp-queries

Package installation location: C:\Users\shravan.codeql\packages
A fatal error occurred: Could not create access credentials for codeql/cpp-queries.
(eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")

Can anyone please help me on this?

[aeisenberg]

There's not much more I can suggest other than going through the steps above. Please confirm to me that you've tried them.

[icearea]

echo | openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > ghcr-certificates.pem
keytool -import -alias ghcr -keystore "<codeql-home>/codeql/tools/osx64/java/lib/security/cacerts" -file ghcr-certificates.pem

[proitcon]

I have the same problem but on Windows on one machine at a customer. I tried to use the keytool as mentioned above to import the pem file but the error persists.

Is there a way to download and install these packages manually?

[aeisenberg]

@proitcon, this is an old issue. Can you please open a new one and someone on our team can help you? Include the error messages and things you have tried already.