编译ScaNN过程中提示找不到证书路径的解决办法

问题现象描述

执行编译ScaNN命令过程中提示unable to find valid certification path to requested target详细信息如下：

[root@localhost scann]# bazel clean; CC=gcc bazel build -c opt --cxxopt="-std=c++17" --copt=-fsized-deallocation --copt=-w --copt=-O3 --cxxopt=-O3 --copt=-march=armv8.2-a+lse+sve+f64mm --cxxopt=-march=armv8.2-a+lse+sve+f64mm --copt=-msve-vector-bits=256 --cxxopt=-msve-vector-bits=256 :build_pip_pkg
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Starting clean (this may take a while). Consider using --async if the clean takes more than several minutes.
INFO: Repository bazel_skylib instantiated at:
  /home/wjh/scann/google-research/scann/WORKSPACE:21:13: in <toplevel>
Repository rule http_archive defined at:
  /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_tools/tools/build_defs/repo/http.bzl:355:31: in <toplevel>
WARNING: Download from https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz failed: class javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcepti                 on: unable to find valid certification path to requested target
ERROR: An error occurred during the fetch of repository 'bazel_skylib':
   Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
                download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz] to /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_sk                 ylib/temp14633894268973902114/bazel-skylib-1.3.0.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: /home/wjh/scann/google-research/scann/WORKSPACE:21:13: fetching http_archive rule //external:bazel_skylib: Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
                download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz] to /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/external/bazel_sk                 ylib/temp14633894268973902114/bazel-skylib-1.3.0.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: no such package '@bazel_skylib//': java.io.IOException: Error downloading [https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz] to /root/.cache/bazel/_bazel_root/feae8769a9a784fcce64ccb472ce84a7/extern                 al/bazel_skylib/temp14633894268973902114/bazel-skylib-1.3.0.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO: Elapsed time: 15.322s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (0 packages loaded)

关键过程、根本原因分析

ScaNN编译过程中需要从https://github.com网站获取资源，Java程序通过HTTPS协议访问资源，存在安全证书校验流程，由于环境缺少证书导致资源无法获取。

结论、解决方案及效果

1. 通过浏览器导出证书。

   使用浏览器（本文以谷歌浏览器为例）访问https://github.com，按照下图操作顺序导出保存证书，证书文件后缀为crt，例如ca.crt。

   

2. 将浏览器导出的证书导入到服务器。
   1. 将证书上传服务器。
   2. 导入证书。

      keytool -import -alias ca -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts -file ca.crt  -trustcacerts -storepass changeit -noprompt

      

      • 导入证书命令参数说明：
        1. -alias：指定别名（用户可以自定义名称）。
        2. -keystore：指定存储文件，在java/lib/security的目录下。（用户需要根据环境中实际路径指定）。
        3. -file：证书文件（绝对路径+证书文件名）。
        4. -storepass：指定存储密码，默认为changeit，查询或删除配置时，需要用到此密码。
        5. -trustcacerts：表示将信任的CA证书添加到密钥库中。
        6. -noprompt：可选项，关闭提示信息。
      • cacerts证书库默认密码为“changeit”（如果使用之前有修改过，则使用修改过的密码）。
   3. 查看证书是否导入成功。

      keytool -list -storepass changeit -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts | grep -w ca

      

      回显信息显示存在对应别名，代表证书导入成功。

      

      如果需要删除证书，可以执行以下命令。

      keytool -delete -storepass changeit -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts -alias ca

   4. 重启设备。

      reboot

3. 重启设备后需重新配置ScaNN编译配置。
   1. 配置网络代理，方法请参见配置网络代理。
   2. 设置pip源。

      1 2	pip config set global.index-url https://mirrors.aliyun.com/pypi/simple/ pip config set global.trusted_host mirrors.aliyun.com

   3. 将bazel添加到环境变量PATH中。

      export PATH=/path/to/bazel/bazel-5.4.0/output:$PATH

   4. 将python3头文件路径添加到环境变量C_INCLUDE_PATH和CPLUS_INCLUDE_PATH中。

      1 2	export C_INCLUDE_PATH=/usr/include/python3.9:$C_INCLUDE_PATH export CPLUS_INCLUDE_PATH=/usr/include/python3.9:$CPLUS_INCLUDE_PATH

4. 重新执行编译ScaNN命令。

   bazel clean; CC=gcc bazel build -c opt --cxxopt="-std=c++17" --copt=-fsized-deallocation --copt=-w --copt=-O3 --cxxopt=-O3 --copt=-march=armv8.2-a+lse+sve+f64mm --cxxopt=-march=armv8.2-a+lse+sve+f64mm --copt=-msve-vector-bits=256 --cxxopt=-msve-vector-bits=256 :build_pip_pkg