Problem with a project that both publishes to the package registry while also using a package from another package registry

Problem to solve

All of this code is Java and is built with Maven.

I have a GitLab project that provides a library of commonly used classes to other projects (let’s call this lib-1). I have put in the config modifications (in both the provider and consumers) in the pom.xml, GitLab project settings, etc. to publish the built library to its GitLab project package registry. I have confirmed that this all works, including consumer projects being able to use this library.

I have developed another, separate library (in a separate GitLab project) that provides a different set of common classes (let’s call this lib-2). The project above (lib-1) needs to also use this library. This has also been set up to push to its project package registry and I have verified that it pushes to the registry. I have also verified that an (unrelated) consumer project is able to pull and use it.

I’m running into a problem where lib-1 fails to build because it cannot pull the lib-2 library.

Here is the error:

[ERROR] Failed to execute goal on project prometheus-common: Could not resolve dependencies for project com.beast-code.devops:prometheus-common:jar:1.4.0: Failed to collect dependencies at com.beastcode.devops:rest-api-utility:jar:3.0.0: Failed to read artifact descriptor for com.beastcode.devops:rest-api-utility:jar:3.0.0: Could not transfer artifact com.beastcode.devops:rest-api-utility:pom:3.0.0 from/to gitlab-maven-rest (https://gitlab.phactory.beast-code.com/api/v4/projects/1155/packages/maven): Transfer failed for https://gitlab.phactory.beast-code.com/api/v4/projects/1155/packages/maven/com/beastcode/devops/rest-api-utility/3.0.0/rest-api-utility-3.0.0.pom: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

prometheus-common is lib-1 and rest-api-utility is lib-2. The crux of the error seems to indicate that a certificate is not trusted (or maybe not available), but I don’t know how or where that’s coming into the picture. As I mentioned earlier, I have an unrelated consumer of lib-2 that is able to pull this library without any issues.

Steps to reproduce

Which troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?

Configuration

I used the guidance provided here and here to make the changes to the configuration.

prometheus-common (lib-1):

pom.xml (relevant sections)

  <properties>
    <gitlab-api-url>https://gitlab.phactory.beast-code.com/api/v4</gitlab-api-url>
    <prometheus-common.project-id>863</prometheus-common.project-id>
    
    <rest-api-utility.project-id>1155</rest-api-utility.project-id>
    <rest-api-utility.version>3.0.0</rest-api-utility.version>
  </properties>

  <repositories>
    <repository>
      <id>gitlab-maven-rest</id>
      <url>${gitlab-api-url}/projects/${rest-api-utility.project-id}/packages/maven</url>
    </repository>

    <repository>
      <id>gitlab-maven</id>
      <url>${gitlab-api-url}/projects/${prometheus-common.project-id}/packages/maven</url>
    </repository>
  </repositories>

  <distributionManagement>
    <repository>
      <id>gitlab-maven</id>
      <url>${gitlab-api-url}/projects/${prometheus-common.project-id}/packages/maven</url>
    </repository>

    <snapshotRepository>
      <id>gitlab-maven</id>
      <url>${gitlab-api-url}/projects/${prometheus-common.project-id}/packages/maven</url>
    </snapshotRepository>
  </distributionManagement>

As far as I’ve been able to tell, I only need the config in the <distributionManagement> section for the library being published (lib-1 in this example).

I’m wondering if I have done the correct things to the lib-1 pom.xml. I believe I need the two repository entries because they are in different GitLab projects. They had to have different names, otherwise Maven complained. I’m not sure if I needed to do something specific with these entries or different.

ci_settings.xml

<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
  <servers>
    <server>
      <id>gitlab-maven</id>
      <configuration>
        <httpHeaders>
          <property>
            <name>Job-Token</name>
            <value>${CI_JOB_TOKEN}</value>
          </property>
        </httpHeaders>
      </configuration>
    </server>
  </servers>
</settings>

Please let me know if there is any other file content I should provide to help.

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners

Versions

I finally figured out what I needed to do. In the lib-1 .gitlab-ci.yml file there is a job that runs prior to the push-to-package-registry job that builds and runs tests on the built library. I needed to add the same logic that installs a trusted certificate into the Java trust store in the “push” job, into the “build” job.

Here is the updated .gitlab-ci.yaml:

build-and-test:
  stage: build-test
  image: maven:3.6-jdk-11
  before_script:
    - 'mkdir ./certs'
    - 'export CRT_FILE=./certs/BCRCA.crt'
    - 'export CA_CERTS_PATH=$JAVA_HOME/lib/security/cacerts'
    - 'echo "$BCRCA" > $CRT_FILE'
    - 'keytool -import -noprompt -trustcacerts -alias BCRCA -file $CRT_FILE -keystore $CA_CERTS_PATH -storepass changeit'
    - 'keytool -list -keystore $CA_CERTS_PATH -alias BCRCA -noprompt -storepass changeit'
    - 'rm -rf ./certs'
  script:
    - 'mvn clean compile test -s ci_settings.xml'
  artifacts:
    when:
      always
    paths:
      - target/surefire-reports
    reports:
      junit:
        - target/surefire-reports/*.xml

push-to-package-registry:
  stage: push
  image: maven:3.6-jdk-11
  before_script:
    - 'mkdir ./certs'
    - 'export CRT_FILE=./certs/BCRCA.crt'
    - 'export CA_CERTS_PATH=$JAVA_HOME/lib/security/cacerts'
    - 'echo "$BCRCA" > $CRT_FILE'
    - 'keytool -import -noprompt -trustcacerts -alias BCRCA -file $CRT_FILE -keystore $CA_CERTS_PATH -storepass changeit'
    - 'keytool -list -keystore $CA_CERTS_PATH -alias BCRCA -noprompt -storepass changeit'
    - 'rm -rf ./certs'
  script:
    - 'mvn clean deploy -s ci_settings.xml -DskipTests'
  rules:
    - if: $CI_COMMIT_REF_PROTECTED == "true" && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

The logic in the before_script sections is what is needed. I had it in the second job, but not in the first.