Hi, all. Apologises for the bad formatting but I wasn't member of the
mailing list when this message was sent.
| Downloading
https://services.gradle.org/distributions/gradle-3.0-bin.zip
|
| Exception in thread "main" javax.net.ssl.SSLException:
java.lang.RuntimeException: Unexpected error:
|java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
|(further stacktrace elided)
| When I run `sudo ./gradlew clean`, it works fine. My suspicion is that
it's related to $JAVA_HOME being symlinked to something not owned by my
current user (/home/zck/.guix-profile is a symlink to
/var/guix/profiles/per-user/zck/guix-profile/, | which is a symlink to
/var/guix/profiles/per-user/zck/guix-profile-20-link/, which is a
symlink to /gnu/store/c483gnpwwcmcwdbdba25q3c7x1g79mzm-profile/, which
is owned by root/guixbuild, although this directory has permissions to
read and execute for all users).
|
| Further supporting my suspicion that JAVA_HOME shouldn't be the guix
profile is that I would think either guix or java should manage the
directory, but not both.
|
|So my question is: what's going on here? What do I need to change to be
able to run gradle as my current user? Thanks.
Two weeks ago I was playing with GuixSD and decided to try to run Apache
Tomcat on it. I've downloaded the Linux binary archive and installed
icedtea3 JDK (Java 8). I've hit the same problem described above: Java
is available and able to compile/run various code, but Tomcat was
throwing exceptions and was not able to start.
After some trials, errors and reading I've found the problem:
IcedTea is configured to use NSS service for handling the
cryptography operations. The default install/config of the IcedTea in
Guix configures "jdk_base_dir/jre/lib/security/nss.cfg" file correctly.
Mine looks like this:
name = NSS
nssLibraryDirectory =
/gnu/store/p2d98rbmb5sl7xgca8rf96k6zq51cww6-nss-3.27.1/lib/nss
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation
However this settings to take effect the JDK needs one more setting in
another file: "jdk_base_dir/jre/lib/security/java.security" i.e. the
same directory as "nss.cfg". Read the comments in the begging of the
file to get a glimpse of what is configured there. If you look VERY
closely around "List of providers and their security settings" you will
see this:
security.provider.9=sun.security.pkcs11.SunPKCS11*${java.home}/lib/security/nss.cfg
*
This file exists(I'm not sure about this - I think I've found some file
without the setting) in Guix but doesn't have the correct location of
the NSS library set.
My workaround was to manually override the JDK security settings by
creating "nss.cfg" and "java.security" files in Tomcat "tomcat_base/bin"
dir and point them to the correct locations. Here is the JDK cmd option
(setting it through /bin/setenv.sh):
-Djava.security.properties=java.security
The contents of the custom "java.security" are copied from the original
file. Only the line for the "nss.cfg" is changed:
security.provider.9=sun.security.pkcs11.SunPKCS11 nss.cfg
The contents of the custom "nss.cfg"
name=NSS
nssLibraryDirectory=/var/guix/profiles/per-user/zloster/guix-profile/lib/nss
nssDbMode=noDb
attributes=compatibility
Most probably this is not the most appropriate way to configure the
JDK/NSS relation in Guix but for a workaround it is fine.
Here is a screenshot of Tomcat running (glorious moment for me:) ):
https://www.edno.moe/image-share/2016-11-11-210342_1920x1080_scrot.png
About a proper fix: IMO iced3 JDK Guix definition needs to process
"java.security" file for the SunPKCS11 provider to override the
JAVA_HOME definition with the file in the current version/dir/instance
of the Guix package (I'm not sure for the correct term). But this have
to be done on each update/upgrade of NSS package. So I'm not so sure
about the proper way to fix this packaging problem.
--
Поздрави, | Best regards,
Радослав Петров | Radoslav Petrov