Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: unset JAVA_HOME to prevent mkcert hang#6940

Merged
rfay merged 1 commit intoddev:mainfrom
rfay:20250127_rfay_unset_java_home
Jan 28, 2025
Merged

fix: unset JAVA_HOME to prevent mkcert hang#6940
rfay merged 1 commit intoddev:mainfrom
rfay:20250127_rfay_unset_java_home

Conversation

@rfay
Copy link
Member

@rfay rfay commented Jan 27, 2025
edited by stasadev
Loading

The Issue

In very occasional cases, JAVA_HOME may be set incorrectly, leading to failure or hang of the mkcert command, which is used to create trusted certs. Examples in https://stackoverflow.com/questions/78865612/ddev-mkcert-install-fails-or-hangs-when-java-home-misconfigured

How This PR Solves The Issue

Disables mkcert if JAVA_HOME is incorrect.
mkcert fails to run if JAVA_HOME is set, and $JAVA_HOME/lib/security/cacerts or $JAVA_HOME/jre/lib/security/cacerts is not found.

Manual Testing Instructions

Set JAVA_HOME to something that causes failure. Try ddev start, it should work with this PR, and fail with v1.24.2:

export JAVA_HOME=/usr
ddev start

Automated Testing Overview

Release/Deployment Notes

@github-actions
Copy link

github-actions bot commented Jan 27, 2025
edited
Loading

Download the artifacts for this pull request:

See Testing a PR.

Open in Gitpod

Open in GitHub Codespaces

@rfay rfay marked this pull request as ready for review January 27, 2025 16:23
@rfay rfay requested a review from a team as a code owner January 27, 2025 16:23
@rfay rfay requested a review from stasadev January 28, 2025 00:15
stasadev
stasadev approved these changes Jan 28, 2025
View reviewed changes
Copy link
Member

@stasadev stasadev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this PR with export JAVA_HOME=/usr and confirm that it works.

At first I wasn't able to reproduce the error using v1.24.2, until I renamed my ~/.ddev directory.

$ mv ~/.ddev ~/.ddev.bak
$ ddev start
Starting d11... 
Building project images....
Project images built in 2s. 
 Network ddev-d11  Created 
 Container ddev-d11-db  Created 
 Container ddev-d11-web  Created 
 Container ddev-d11-web  Started 
 Container ddev-d11-db  Started 
Failed to create certificates for project, check mkcert operation: ERROR: failed to execute "keytool -list": exit status 1

keytool error: java.lang.Exception: Keystore file does not exist: 

; err=exit status 1

@stasadev
Copy link
Member

stasadev commented Jan 28, 2025

So the problem is that mkcert tries to install in the java cacerts file, and fails if there is an incorrect JAVA_HOME:

An ignored attempt to provide users with a clear error message was made in:

If we unset JAVA_HOME here, I wonder if we should recommend this in our docs:

-mkcert -install
+JAVA_HOME= mkcert -install

@stasadev stasadev force-pushed the 20250127_rfay_unset_java_home branch from dd74b18 to b470567 Compare January 28, 2025 13:28
@stasadev stasadev changed the title fix: unset JAVA_HOME to prevent mkcert hang fix: disable mkcert if JAVA_HOME is wrong Jan 28, 2025
@stasadev
Copy link
Member

stasadev commented Jan 28, 2025

Based on what I found, it doesn't seem right to completely unset JAVA_HOME because users might still want to use Java's cacerts for mkcert. I updated the PR to show a warning and disable mkcert if the cacerts file isn't found.

This way, we ensure DDEV continues to work without HTTPS, even if the user has a broken JAVA_HOME.

@rfay
Copy link
Member Author

rfay commented Jan 28, 2025

Thank you, and congratulations on reproducing the problem too!

@rfay
Copy link
Member Author

rfay commented Jan 28, 2025

The one thing about the approach here is that we could in fact have turned off JAVA_HOME for DDEV's use, even though people might use it for other things outside of DDEV, true?

@stasadev
Copy link
Member

stasadev commented Jan 28, 2025

Yes, I think there may be some edge cases, and turning JAVA_HOME off completely may not be what people want.

@stasadev stasadev force-pushed the 20250127_rfay_unset_java_home branch from 78451e2 to 294f200 Compare January 28, 2025 15:01
@stasadev stasadev changed the title fix: disable mkcert if JAVA_HOME is wrong fix: unset JAVA_HOME to prevent mkcert hang Jan 28, 2025
stasadev
stasadev approved these changes Jan 28, 2025
View reviewed changes
Copy link
Member

@stasadev stasadev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After another round of testing and exploring mkcert source code, I can say, that unsetting JAVA_HOME is enough, it's simple, and doesn't require any maintenance.

export JAVA_HOME=$(readlink -f /usr/bin/javac | sed "s:/bin/javac::")
# JAVA_HOME=/usr/lib/jvm/java-23-openjdk for me on Arch

mkcert -install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! 🦊
The local CA is already installed in Java's trust store! 👍

mkcert uses all available stores, and we simply don't need Java store in DDEV, it'll fallback to a different available store.

@rfay rfay merged commit 4d62d26 into ddev:main Jan 28, 2025
19 of 21 checks passed
@rfay rfay deleted the 20250127_rfay_unset_java_home branch January 28, 2025 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stasadev stasadev stasadev approved these changes

Assignees

No one assigned

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rfay @stasadev

Comments