Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

The Certificate Path Cannot Be Found During ScaNN Compilation

Symptom

When running the ScaNN compilation command, an error is reported stating "unable to find valid certification path to requested target":

[root@localhost scann]# bazel clean; CC=gcc bazel build -c opt --cxxopt="-std=c++17" --copt=-fsized-deallocation --copt=-w --copt=-O3 --cxxopt=-O3 --copt=-march=armv8.2-a+lse+sve+f64mm --cxxopt=-march=armv8.2-a+lse+sve+f64mm --copt=-msve-vector-bits=256 --cxxopt=-msve-vector-bits=256 :build_pip_pkg
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Starting clean (this may take a while). Consider using --async if the clean takes more than several minutes.
INFO: Repository bazel_skylib instantiated at:
  /home/wjh/scann/google-research/scann/WORKSPACE:21:13: in <toplevel>
Repository rule http_archive defined at:
  /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_tools/tools/build_defs/repo/http.bzl:355:31: in <toplevel>
WARNING: Download from https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz failed: class javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti                 on: unable to find valid certification path to requested target
ERROR: An error occurred during the fetch of repository 'bazel_skylib':
   Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
                download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz] to /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_sk                 ylib/temp14633894268973902114/bazel-skylib-1.3.0.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: /home/wjh/scann/google-research/scann/WORKSPACE:21:13: fetching http_archive rule //external:bazel_skylib: Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
                download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz] to /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_sk                 ylib/temp14633894268973902114/bazel-skylib-1.3.0.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: no such package '@bazel_skylib//': java.io.IOException: Error downloading [https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz] to /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/extern                 al/bazel_skylib/temp14633894268973902114/bazel-skylib-1.3.0.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO: Elapsed time: 15.322s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (0 packages loaded)

Key Process and Cause Analysis

The ScaNN compilation process obtains resources from https://github.com. Java programs access resources through HTTPS, and a security certificate verification process exists. As a result, resources cannot be obtained due to lack of the certificate in the environment.

Conclusion and Solution

  1. Export the certificate using a browser.

    Use a browser (for example, Google Chrome) to visit https://github.com, and export and save the certificate as a .crt file, for example, ca.crt, as illustrated in the following figure.

  2. Import the certificate exported from the browser to the server.
    1. Upload the certificate to the server.
    2. Import the certificate.
      1
      keytool -import -alias ca -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts -file ca.crt  -trustcacerts -storepass changeit -noprompt
      • Parameter description:
        • -alias: specifies the alias (user-defined).
        • -keystore: specifies the storage file, which is in the java/lib/security directory. (Replace this directory with the actual one.)
        • -file: specifies the certificate file (absolute path + file name).
        • -storepass: specifies the storage password. It is changeit by default. This password is required when you query or delete configurations.
        • -trustcacerts: adds the trusted CA certificate to the keystore.
        • -noprompt (optional): disables the prompt message.
      • The default password of the cacerts certificate store is changeit. (If the password has been changed, use the new password.)
    3. Check whether the certificate is successfully imported.
      1
      keytool -list -storepass changeit -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts | grep -w ca

      If the alias exists in the command output, the certificate is successfully imported.

      To delete the certificate, run the following command:

      1
      keytool -delete -storepass changeit -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts -alias ca
    4. Restart the device.
      1
      reboot
  3. After the device is restarted, reconfigure the ScaNN compilation options.
    1. Configure a network proxy. See Configuring a Network Proxy.
    2. Configure the pip repository.
      1
2
      pip config set global.index-url https://mirrors.huaweicloud.com/repository/pypi/simple 
pip config set global.trusted-host mirrors.huaweicloud.com
    3. Add Bazel to the PATH environment variable.
      1
      export PATH=/path/to/bazel/bazel-5.4.0/output:$PATH
    4. Add the Python 3 header file path to environment variables C_INCLUDE_PATH and CPLUS_INCLUDE_PATH.
      1
2
      export C_INCLUDE_PATH=/usr/include/python3.9:$C_INCLUDE_PATH 
export CPLUS_INCLUDE_PATH=/usr/include/python3.9:$CPLUS_INCLUDE_PATH
  4. Run the ScaNN compilation command again.
    1
    bazel clean; CC=gcc bazel build -c opt --cxxopt="-std=c++17" --copt=-fsized-deallocation --copt=-w --copt=-O3 --cxxopt=-O3 --copt=-march=armv8.2-a+lse+sve+f64mm --cxxopt=-march=armv8.2-a+lse+sve+f64mm --copt=-msve-vector-bits=256 --cxxopt=-msve-vector-bits=256 :build_pip_pkg
Parent topic: Troubleshooting