编译TensorFlow 2.13.0源码时证书校验失败的解决办法

问题现象描述

执行编译TensorFlow 2.13.0命令时提示unable to find valid certification path to requested target证书校验失败，详细信息如下：

INFO: Repository rules_jvm_external instantiated at:
  /path/to/tensorflow-2.13.0/WORKSPACE:11:14: in <toplevel>
  /path/to/tensorflow-2.13.0/tensorflow/workspace3.bzl:41:17: in workspace
Repository rule http_archive defined at:
  /root/.cache/bazel/_bazel_root/dcb36252f49837fd7a0e106d550e0fdb/external/bazel_tools/tools/build_defs/repo/http.bzl:355:31: in <toplevel>
WARNING: Download from https://github.com/bazelbuild/rules_jvm_external/archive/4.3.zip failed: class javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: An error occurred during the fetch of repository 'rules_jvm_external':
   Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/dcb36252f49837fd7a0e106d550e0fdb/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
                download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/rules_jvm_external/archive/4.3.zip] to /root/.cache/bazel/_bazel_root/dcb36252f49837fd7a0e106d550e0fdb/external/rules_jvm_external/temp12676514006209799632/4.3.zip: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: /path/to/tensorflow-2.13.0/WORKSPACE:11:14: fetching http_archive rule //external:rules_jvm_external: Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/dcb36252f49837fd7a0e106d550e0fdb/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
                download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/rules_jvm_external/archive/4.3.zip] to /root/.cache/bazel/_bazel_root/dcb36252f49837fd7a0e106d550e0fdb/external/rules_jvm_external/temp12676514006209799632/4.3.zip: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO: Repository llvm-raw instantiated at:
  /path/to/tensorflow-2.13.0/WORKSPACE:11:14: in <toplevel>
  /path/to/tensorflow-2.13.0/tensorflow/workspace3.bzl:50:9: in workspace
  /path/to/tensorflow-2.13.0/third_party/llvm/workspace.bzl:10:20: in repo
  /path/to/tensorflow-2.13.0/third_party/repo.bzl:136:21: in tf_http_archive
Repository rule _tf_http_archive defined at:
  /path/to/tensorflow-2.13.0/third_party/repo.bzl:89:35: in <toplevel>
INFO: Repository tf_runtime instantiated at:
  /path/to/tensorflow-2.13.0/WORKSPACE:11:14: in <toplevel>
  /path/to/tensorflow-2.13.0/tensorflow/workspace3.bzl:18:15: in workspace
  /path/to/tensorflow-2.13.0/third_party/tf_runtime/workspace.bzl:12:20: in repo
  /path/to/tensorflow-2.13.0/third_party/repo.bzl:136:21: in tf_http_archive
Repository rule _tf_http_archive defined at:
  /path/to/tensorflow-2.13.0/third_party/repo.bzl:89:35: in <toplevel>
ERROR: no such package '@rules_jvm_external//': java.io.IOException: Error downloading [https://github.com/bazelbuild/rules_jvm_external/archive/4.3.zip] to /root/.cache/bazel/_bazel_root/dcb36252f49837fd7a0e106d550e0fdb/external/rules_jvm_external/temp12676514006209799632/4.3.zip: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
INFO: Elapsed time: 19.139s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (0 packages loaded)

关键过程、根本原因分析

关键错误信息：下载依赖组件llvm时，找不到请求目标的有效证书路径。

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

结论、解决方案及效果

1. 通过浏览器导出有效证书。

   使用浏览器（本文以谷歌浏览器为例）访问https://github.com，按照下图操作顺序导出保存证书，证书文件后缀为crt，例如ca.crt。

   

2. 将浏览器导出的证书导入到服务器。
   1. 将证书上传到服务器。
   2. 导入证书。

      keytool -import -alias tf_need -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts -file ca.crt -trustcacerts -storepass changeit -noprompt

      

      • 导入证书命令参数说明：
        1. -alias：指定别名（用户可以自定义名称）。
        2. -keystore：指定存储文件，在java/lib/security的目录下。（用户需要根据环境中实际路径指定）。
        3. -file：证书文件（绝对路径+证书文件名）。
        4. -storepass：指定存储密码，默认为changeit，查询或删除配置时，需要用到此密码。
        5. -trustcacerts：表示将信任的CA证书添加到密钥库中。
        6. -noprompt：可选项，关闭提示信息。

      • cacerts证书库默认密码为“changeit”（如果使用之前有修改过，则使用修改过的密码）。
   3. 查看证书是否导入成功。

      keytool -list -storepass changeit -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts | grep tf_need

      

      通过查询，发现已经有相关证书信息，导入成功。

      

      如果导入证书存在问题，可以通过以下命令删除导入的证书信息，重新导入。

      keytool -delete -storepass changeit -keystore /usr/lib/jvm/java-11-openjdk-11.0.21.9-1.oe2203sp3.aarch64/lib/security/cacerts -alias tf_need

   4. 重启服务器，使配置生效。

      reboot

   5. 如果前面涉及配置临时生效的环境变量，重启后需要重新配置。
3. 重新编译TensorFlow。

   bazel clean
   bazel build //tensorflow/tools/pip_package:build_pip_package