Skip to content

Instantly share code, notes, and snippets.

@sebnyberg

sebnyberg/bazel-with-custom-ca.md

Last active December 11, 2024 21:02
Show Gist options
  • Save sebnyberg/17ac0d1cf017911f5dbedd61790a0a88 to your computer and use it in GitHub Desktop.
Save sebnyberg/17ac0d1cf017911f5dbedd61790a0a88 to your computer and use it in GitHub Desktop.
Download ZIP
Bazel with Custom CA on MacOS
Raw
bazel-with-custom-ca.md

Bazel with Zscaler

First install openjdk with brew.

I typically use Nix, but for this setup to work the cacerts bundle must be mutable, which is (for good reason) not supported in Nix. There is a relevant discussion here that I have not had time to look into.

brew install openjdk@23

Then create a .bazelrc with a custom javabase:

# .bazelrc
startup \
  --server_javabase=/opt/homebrew/opt/openjdk@23

Try bazel info for good measure:

bazel info

For bazel build to work, the Zscaler cert must be merged into the trust store, which is located at $JAVA_HOME/lib/security/cacerts. Capture this path:

CACERTS_PATH="$(bazel info java-home)/lib/security/cacerts"

There is probably some way to export the Zscaler cert programmatically with a combination of openssl, awk, and the like, but it is easier to open Keychain Access, then go to File > Export Items, then export the cert in PEM format to some location, e.g. ~/Documents/zscaler.cer.

Then add it to the system certstore with:

keytool \
  -importcert \
  -file ~/Documents/zscaler.cer \
  -alias zscaler \
  -keystore $CACERTS_PATH \
  -storepass changeit

Now it should be possible to build with bazel build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment