I just downloaded Maven and was trying to run the simple command found on the "Maven in Five Minutes" page (http://maven.apache.org/guides/getting-started/maven-in-five-minutes.html). This is the command:
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
When I run it I get an error with SSL certificate and cannot download from the central Maven repository at https://repo.maven.apache.org/maven2. The error is "SunCertPathBuilderException: unable to find valid certification path to requested target".
I am sitting behind a corporate firewall and have correctly configured the proxy settings for both http and https access via the settings.xml file. I doubt that everyone who downloads Maven and runs it for the first time has to import the SSL certificate of the Maven repository, so the problem must be with the proxy. Does anyone have any experience with this?
Here's the stack trace in full debug mode (-X):
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
Apache Maven 3.2.3 (33f8c3e1027c3ddde99d3cdebad2656a31e8fdf4; 2014-08-11T22:58:10+02:00)
Maven home: C:\Projects\maven\bin\..
Java version: 1.7.0_45, vendor: Oracle Corporation
Java home: C:\Program Files\Java\jdk1.7.0_45\jre
Default locale: it_IT, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
[DEBUG] Using connector WagonRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2 via *****:8080 with username=*****, password=***
Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-clean-plugin:2.5: Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5
org.apache.maven.plugin.PluginResolutionException: Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5
at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:122)
at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getPluginDescriptor(DefaultMavenPluginManager.java:148)
at org.apache.maven.plugin.DefaultBuildPluginManager.loadPlugin(DefaultBuildPluginManager.java:81)
at org.apache.maven.plugin.prefix.internal.DefaultPluginPrefixResolver.resolveFromProject(DefaultPluginPrefixResolver.java:138)
at org.apache.maven.plugin.prefix.internal.DefaultPluginPrefixResolver.resolveFromProject(DefaultPluginPrefixResolver.java:121)
at org.apache.maven.plugin.prefix.internal.DefaultPluginPrefixResolver.resolve(DefaultPluginPrefixResolver.java:85)
at org.apache.maven.lifecycle.internal.MojoDescriptorCreator.findPluginForPrefix(MojoDescriptorCreator.java:260)
at org.apache.maven.lifecycle.internal.MojoDescriptorCreator.getMojoDescriptor(MojoDescriptorCreator.java:220)
at org.apache.maven.lifecycle.internal.DefaultLifecycleTaskSegmentCalculator.calculateTaskSegments(DefaultLifecycleTaskSegmentCalculator.java:103)
at org.apache.maven.lifecycle.internal.DefaultLifecycleTaskSegmentCalculator.calculateTaskSegments(DefaultLifecycleTaskSegmentCalculator.java:83)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:85)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:347)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:154)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:582)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:214)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5
at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:349)
at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:231)
at org.eclipse.aether.internal.impl.DefaultRepositorySystem.readArtifactDescriptor(DefaultRepositorySystem.java:288)
at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:108)
... 23 more
Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Could not transfer artifact org.apache.maven.plugins:maven-clean-plugin:pom:2.5 from/to central (https://repo.maven.apache.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:459)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:262)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:239)
at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:334)
... 26 more
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact org.apache.maven.plugins:maven-clean-plugin:pom:2.5 from/to central (https://repo.maven.apache.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$6.wrap(WagonRepositoryConnector.java:1016)
at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$6.wrap(WagonRepositoryConnector.java:1004)
at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:725)
at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run(RunnableErrorForwarder.java:67)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: org.apache.maven.wagon.TransferFailedException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:935)
at org.apache.maven.wagon.StreamWagon.getInputStream(StreamWagon.java:116)
at org.apache.maven.wagon.StreamWagon.getIfNewer(StreamWagon.java:88)
at org.apache.maven.wagon.StreamWagon.get(StreamWagon.java:61)
at org.eclipse.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:660)
... 4 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at org.apache.maven.wagon.providers.http.httpclient.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:280)
at org.apache.maven.wagon.providers.http.httpclient.impl.conn.HttpClientConnectionOperator.upgrade(HttpClientConnectionOperator.java:167)
at org.apache.maven.wagon.providers.http.httpclient.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:329)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:392)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainClientExec.execute(MainClientExec.java:218)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.ProtocolExec.execute(ProtocolExec.java:194)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RetryExec.execute(RetryExec.java:85)
at org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at org.apache.maven.wagon.providers.http.httpclient.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
at org.apache.maven.wagon.providers.http.httpclient.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.execute(AbstractHttpClientWagon.java:756)
at org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:854)
... 8 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
The answer above is a good working solution, but here's how to do it if you want to use the SSL repo:
Use a browser (I used IE) to go to https://repo.maven.apache.org/
Click on lock icon and choose "View Certificate"
Go to the "Details" tab and choose "Save to File"
Choose type "Base 64 X.509 (.CER)" and save it somewhere
Now open a command prompt and type (use your own paths):
keytool -import -file C:\temp\mavenCert.cer -keystore C:\temp\mavenKeystore
Now you can run the command again with the parameter
-Djavax.net.ssl.trustStore=C:\temp\mavenKeystore
Under linux use absolute path
-Djavax.net.ssl.trustStore=/tmp/mavenKeystore
otherwise this will happen
Like this:
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false -Djavax.net.ssl.trustStore=C:\temp\mavenKeystore
Optional:
You can use the MAVEN_OPTS environment variable so you don't have to worry about it again. See more info on the MAVEN_OPTS variable here:
The fact is that your maven plugin try to connect to an https remote repository
(e.g https://repo.maven.apache.org/maven2/)
This is a new SSL connectivity for Maven Central was made available in august, 2014 !
So please, can you verify that your settings.xml has the correct configuration.
<settings>
<activeProfiles>
<!--make the profile active all the time -->
<activeProfile>securecentral</activeProfile>
</activeProfiles>
<profiles>
<profile>
<id>securecentral</id>
<!--Override the repository (and pluginRepository) "central" from the
Maven Super POM -->
<repositories>
<repository>
<id>central</id>
<url>http://repo1.maven.org/maven2</url>
<releases>
<enabled>true</enabled>
</releases>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>central</id>
<url>http://repo1.maven.org/maven2</url>
<releases>
<enabled>true</enabled>
</releases>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
</settings>
You can alternatively use the simple http maven repository like this
<pluginRepositories>
<pluginRepository>
<id>central</id>
<name>Maven Plugin Repository</name>
<url>http://repo1.maven.org/maven2</url>
<layout>default</layout>
<snapshots>
<enabled>false</enabled>
</snapshots>
<releases>
<updatePolicy>never</updatePolicy>
</releases>
</pluginRepository>
</pluginRepositories>
Please let me know if my solution works ;)
J.
You can use the -Dmaven.wagon.http.ssl.insecure=true option
Update
I just stumbled on this bug report:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760
It appears to be the cause of our problems here. Something with ca-certificates-java encountering an error and not fully populating cacerts. For me, this started happening after I upgraded to 15.10 and this bug probably occurred during that process.
The workaround is to execute the following command:
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure
If you check the contents of the keystore (as in my original answer), you'll now see a whole bunch more, including the needed DigiCert Global Root CA.
If you went through the process in my original answer, you can clean up the key we added by running this command (assuming you did not specify a different alias):
sudo keytool -delete -alias mykey -keystore /etc/ssl/certs/java/cacerts
Maven will now work fine.
Original Answer
I'd just like to expand on Andy's answer about adding the certificate and specifying a keystore. That got me started, and combined with information elsewhere I was able to understand the problem and find another (better?) solution.
Andy's answer specifies a new keystore with the Maven cert specifically. Here, I'm going a bit more broad and adding the root certificate to the default java truststore. This allows me to use mvn (and other java stuff) without specifying a keystore.
For reference my OS is Ubuntu 15.10 with Maven 3.3.3.
Basically, the default java truststore in this setup does not trust the root certificate of the Maven repo (DigiCert Global Root CA), so it needs to be added.
I found it here and downloaded:
https://www.digicert.com/digicert-root-certificates.htm
Then I found the default truststore location, which resides here:
/etc/ssl/certs/java/cacerts
You can see what certs are currently in there by running this command:
keytool -list -keystore /etc/ssl/certs/java/cacerts
When prompted, the default keystore password is "changeit" (but nobody ever does).
In my setup, the fingerprint of "DigiCert Global Root CA" did not exist (DigiCert calls it "thumbprint" in the link above). So here's how to add it:
sudo keytool -import -file DigiCertGlobalRootCA.crt -keystore
/etc/ssl/certs/java/cacerts
This should prompt if you trust the cert, say yes.
Use keytool -list again to verify that the key exists. I didn't bother to specify an alias (-alias), so it ended up like this:
mykey, Dec 2, 2015, trustedCertEntry, Certificate fingerprint (SHA1):
A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
Then I was able to run mvn commands as normal, no need to specify keystore.
You can import the SSL cert manually and just add it to the keystore.
For linux users,
Syntax:
keytool -trustcacerts -keystore /jre/lib/security/cacerts
-storepass changeit -importcert -alias nexus -file
Example :
keytool -trustcacerts -keystore
/Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre/lib/security/cacerts
-storepass changeit -importcert -alias nexus -file ~/Downloads/abc.com-ssl.crt
I actually had the same problem.
when I run
mvn clean package
on my maven project, I get this certificate error by the maven tool.
I followed #Andy 's Answer till the point where I downloaded the .cer file
after that the rest of the answer didn't work for me but I did the following(I am running on Linux Debian machine)
first of all, run:
keytool -list -keystore "Java path+"/jre/lib/security/cacerts""
for example in my case it is:
keytool -list -keystore /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/cacerts
if it asks about the password, just hit enter.
this command is supposed to list all the ssl certificates accepted by the java.
when I ran this command, in my case I got 93 certificates for example.
Now add the downloaded file .cer to the cacerts file by running the following command:
sudo keytool -importcert -file /home/hal/Public/certificate_file_downloaded.cer -keystore /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/security/cacerts
write your sudo password then it will ask you about the keystore password
the default one is changeit
then say y that you trust this certificate.
if you run the command
keytool -list -keystore /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/cacerts
once again, in my case, I got 94 contents of the cacerts file
it means, it was added successfully.
This may not be the best solution. I changed my maven from 3.3.x to 3.2.x. And this issue gone.
Step 1: GET the contents of the Certificate of the website( you want to have it imported as a trusted root)
$ keytool -printcert -rfc -sslserver maven.2xoffice.com*
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIHJ73QrVnyJjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxITAfBgNVBAoT
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMY
...
-----END CERTIFICATE-----
The -rfc option outputs the certificate chain in PEM-encoded format for easy import back into a keystore.
Step 2: Save the whole thing (including the BEGIN CERTIFICATE and END CERTIFICATE lines, which are significant in this case) as godaddyg2.pem and imported it into my trust store via:
Step 3: Import the certificate in the keystore( java trusted key store)
$ keytool -importcert -file ./godaddyg2.pem -keystore $JRE_LIB/lib/security/cacerts
It happens because your maven plugin try to connect to an HTTPS remote repository
(https://repo.maven.apache.org/maven2) or (https://repo1.maven.apache.org).
Some time ago, you could to change these URL's to use HTTP instead use HTTPS, but since January 15th 2020, these URL's doesn't work any more, only the HTTPS URL's.
As an easy way to fix this problem, you can use the insecure Maven URL in the settings.xml file. So, you need to change ALL of yours references above mencioned to: http://insecure.repo1.maven.org/maven2/
TIP: Your JAVA_HOME variable always needs to point to your JDK path, not to your JRE path, for example: "C:\Program Files\Java\jdk1.7.0_80".
If the situation is caused by a corporate firewall, and you are using Windows, your windows certificate store is likely configured to trust the firewall. You can tell Java to rely on the windows certificates by adding the option -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT to the command line, or your MAVEN_OPTS.
ymptom: After configuring Nexus to serve SSL maven builds fail with peer not authenticated or PKIX path building failed.
This is usually caused by using a self signed SSL certificate on Nexus. Java does not consider these to be a valid certificates, and will not allow connecting to server's running them by default.
You have a few choices here to fix this:
Add the public certificate of the Nexus server to the trust store of the Java running Maven
Get the certificate on Nexus signed by a root certificate authority such as Verisign
Tell Maven to accept the certificate even though it isn't signed
For option 1 you can use the keytool command and follow the steps in the below article.
Explicitly Trusting a Self-Signed or Private Certificate in a Java Based Client
For option 3, invoke Maven with -Dmaven.wagon.http.ssl.insecure=true. If the host name configured in the certificate doesn't match the host name Nexus is running on you may also need to add -Dmaven.wagon.http.ssl.allowall=true
Note: These additional parameters are initialized in static
initializers, so they have to be passed in via the MAVEN_OPTS
environment variable. Passing them on the command line to Maven will
not work.
See here for more information:
A quick solution is add this code in your pom.xml:
<repositories>
<repository>
<id>central</id>
<name>Maven Plugin Repository</name>
<url>http://repo1.maven.org/maven2</url>
<layout>default</layout>
<snapshots>
<enabled>false</enabled>
</snapshots>
<releases>
<updatePolicy>never</updatePolicy>
</releases>
</repository>
</repositories>
Where never is for avoid the search a certified.
What worked for me:
Configure <proxy> settings in ${MAVEN_HOME}/conf/settings.xml:
(Note: For others, it worked when they configured ${user.home}/.m2/settings.xml. If there is no settings.xml in user.home, just copy it from conf/ in the maven directory.)
<!-- proxies
| This is a list of proxies which can be used on this machine to connect to the network.
| Unless otherwise specified (by system property or command-line switch), the first proxy
| specification in this list marked as active will be used.
|-->
<proxies>
<!-- proxy
| Specification for one proxy, to be used in connecting to the network.
|
<proxy>
<id>optional</id>
<active>true</active>
<protocol>http</protocol>
<username>proxyuser</username>
<password>proxypass</password>
<host>proxy.host.net</host>
<port>80</port>
<nonProxyHosts>local.net|some.host.com</nonProxyHosts>
</proxy>
-->
<proxy>
<id>my-proxy</id>
<active>true</active>
<protocol>http</protocol>
<username></username>
<password></password>
<host>my.proxy.host.com</host>
<port>8080</port>
<nonProxyHosts></nonProxyHosts>
</proxy>
</proxies>
Then point pom.xml to download from http maven central repo:
<project>
...
<repositories>
<repository>
<id>central</id>
<name>Maven Plugin Repository</name>
<url>http://repo1.maven.org/maven2</url>
<layout>default</layout>
<snapshots>
<enabled>false</enabled>
</snapshots>
<releases>
<updatePolicy>never</updatePolicy>
</releases>
</repository>
</repositories>
...
</project>
You may also need to configure http proxy in your IDE. For VSCode in settings.json:
{
...
"http.proxy": "http://my/proxy/script/address/my-proxy.pac",
...
}
For Win10: Start/Search > Network proxy settings > Script address
Sources:
Maven proxy settings not working
https://www.mkyong.com/maven/how-to-enable-proxy-setting-in-maven/
https://maven.apache.org/guides/mini/guide-proxies.html
https://maven.apache.org/settings.html#Proxies
https://maven.apache.org/guides/introduction/introduction-to-repositories.html
I was getting the same error about the SSL certificate when Maven tried to download the necessary modules automatically.
As a remedy, I was attempting to implement Luke's answer above, but found that the DigiCert Global Root CA certificate is already in Java's trusted keystore.
What helped me was adding %JAVA_HOME%\bin to the Path variable (I am running Windows). And %JAVA_HOME% is a JDK location, not just a JRE location, since Maven needs a JDK.
I am not certain why it helped, but it did. I am absolutely sure that this was the only thing I changed.
If this issue happens for the HTTPS repository, f.e. https://repo.spring.io/milestone you can just try to replace with non secured: http://repo.spring.io/milestone.
And that's it
After creating the keystore mentioned by #Andy.
In Eclipse, i added the jvm args and it worked.
If you don't have the *.crt file and have access to maven web app (nexus etc),
The solution is (For firefox browser) :
Go to browser and access to themavenrepo.com
Click the lock icon in the top bar
Click 'Connection Secure' and then click 'More Information'
Click to 'Security' tab and click 'View Certificate'
in 'Miscellaneous' part, click the 'pem(cert)' to download
Go to terminal and run : openssl x509 -outform der -in downloaded.pem -out whatevernameyouwant.crt
sudo keytool -importcert -file whatevernameyouwant.crt -alias randomaliasname -keystore {your_java_installation_dir}/jre/lib/security/cacerts -storepass changeit
I ran into this problem in the same situation, and I wrote up a detailed answer to a related question on stack overflow explaining how to more easily modify the system's cacerts using a GUI tool. I think it's a little bit better than using a one-off keystore for a specific project or modifying the settings for maven (which may cause trouble down the road).
Even though I was putting the certificates in cacerts, I was still getting the error.
Turns our I was putting them in jre, not in jdk/jre.
There are two keystores, keep that in mind!!!
The issue, I got is
Earlier, I was using jdk 1.8.0_31 with certificate installed.
I switched to jdk 1.8.0_191 but did not install certificate.
But, my projects were working fine, I realized that their dependencies were downloaded already. So, they would only compile and package those projects.
But, this did not work for new maven projects as their dependencies were not downloaded earlier.
Solution::
Switch to earlier jdk version(which had certificate already installed) for your new project and do clean install
Download certificate again for the new jdk version that you have recently switched to and then do clean install
Just another cause:
If you open Charles, you could also met this problem, in this case just quit Charles.
I had the same problem with SSL and maven. My companies IT policy restricts me to make any changes to the computers configuration, so I copied the entire .m2 from my other computer and pasted it .m2 folder and it worked.
.m2 folder is usually found under c\user\admin
Just a little beyond what Andy has put out.
You need to take the top most (root) certificate in case you happen to find a chain.
Took me one day to figure out.
The maven.config file under .mvn diretory with the settings as given in MAVEN_OPTS to ignore SSL worked for me
I simply used new java version and it worked for me.
Related
While the maven build is successful I am unable to import the dependencies to the project in IntelliJ. Below is the error its showing:
Could not transfer artifact com.sun.activation:jakarta.activation:pom:1.2.1 from/to central (https://XXXXXXXXXXXXXXXX/XXXXXX/XXXXXXXXXXXXXXX): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The server XXXXXXXXXXXXXXXX that you are collecting dependencies from has a self signed certificate so SSL comms cannot be established.
The server certificate needs to be added to java CACERTS. That way your maven will 'trust' the server and allow SSL.
To get the cert from XXXXXXXXXXXXXXXX you do this
You can add the cert to CACERTS with java keytool as follows: (assuming your java is at D:\Java and your cert is in a file called repo.cer
"D:\Java\bin\keytool.exe" -import -alias repo -keystore "D:\Java\jre\lib\security\cacerts" -storepass changeit -file repo.cer
Trust this certificate? [no]: answer is y
Success is indicated with: "Certificate was added to keystore"
Then set this JDK in Settings (Preferences on macOS) | Build, Execution, Deployment | Build Tools | Maven | Importing | JDK for importer in IDE.
I'm using a custom artifacotry repository on which I deploy my projects.
This is working fine when I'm working on my local machine but I've enable the AutoDevOps feature of Gitlab and integrate my project with a Kubernetes cluster.
The kubernetes cluster is managed by rancher.
The issue is that the build runned on Gitlab is failing with the following error:
Plugin org.apache.maven.plugins:maven-resources-plugin:2.6 or one of
its dependencies could not be resolved: Failed to read artifact
descriptor for
org.apache.maven.plugins:maven-resources-plugin:jar:2.6: Could not
transfer artifact
org.apache.maven.plugins:maven-resources-plugin:pom:2.6 from/to
adibox-snapshots
(https://artifactory.mydomain.com/artifactory/libs-snapshot): Transfer
failed for
https://artifactory.mydomain.com/artifactory/libs-snapshot/org/apache/maven/plugins/maven-resources-plugin/2.6/maven-resources-plugin-2.6.pom:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target -> [Help 1]
If it was running on a local machine I know I could add the certificate to the java keystore by using keytool command lines. But I do not find where, in case of the AutoDevOps I could add the certificate. My best guess would be to add it on the Runner machine but I do not have any control on it as it's managed by Gitlab.
Any help is welcome.
Thanks.
I fixed it by adding
before_script:
- keytool -importcert -file artifactory.cer -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt
in my .gitlab-ci.yml file.
It will add the certificate to the Gitlab-Runner.
My machine is using proxy to connect internet. But I get the following error when running maven build command. And it works when I disable proxy. I don't understand why proxy matters here.
[ERROR] Failed to execute goal on project flink-dist_2.11: Could not resolve dependencies for project org.apache.flink:flink-
dist_2.11:jar:1.7-SNAPSHOT: Failed to collect dependencies at
org.apache.flink:flink-shaded-hadoop2-uber:jar:1.7-SNAPSHOT:
Failed to read artifact descriptor for org.apache.flink:flink-shaded-hadoop2-uber:jar:1.7-SNAPSHOT:
Could not transfer artifact
org.apache.flink:flink-shaded-hadoop2-uber:pom:1.7-SNAPSHOT from/to apache.snapshots (https://repository.
apache.org/snapshots): Remote host closed connection during handshake: SSL peer shut down incorrectly -> [Help 1]
Have you tried the settings.xml at ${user.home}/.m2/settings.xml , more guidance here https://maven.apache.org/guides/mini/guide-proxies.html
in windows7 and above it would be c:\users\user_name\.m2
Maven is trying to connect to a remote repository in order to downlod your project dependencies in its local repository. That's a network connection and obviously, your proxy configuration makes Maven fail in the attempt.
Remote host closed connection during handshake: SSL peer shut down incorrectly :
This indicates that the server host that your are trying to achieve is down, verify first if the connection is well established and try again.
May be try this by configuring Mavan accordingly for using the proxy server:- https://dzone.com/articles/how-get-maven-working-through
I faced to the same problem at my work where we have Windows workstations and NTLM2 proxy server with authentication.
The following solution works fine for me. The benefit of this solution is that it can work with Maven, Git, IntelliJ IDE as well.
Reccomended steps you need to accomplish in order to have access via NTLM2 proxy:
First you need to download, configure and run Cntlm proxy on your pc.
Start Cntlm on your localhost. This proxy will forward all your local unauthenticated HTTP/HTTPS requests to the company proxy as a authenticated requests.
Configure Maven, Git, IntelliJ, Eclipse, etc. to use your local proxy on localhost:3128. You do not need to configure authentication here.
Details:
Download Cntlm proxy from here.
Type cntlm.exe -H -d your_domain -u your_username.
It will ask your password. Enter it and Cntlm will give you the hashes, something like this:
Password:
PassLM 4E9C185932FER43543RWEFER33R4R34C
PassNT 6E9F1254353RDR34RFSDWER3443RDC9A
PassNTLMv2 43534RFWDWE3434RWFWER434C4FA224F
Edit / check your cntlm.ini file
Username <your-domain-username>
Domain <windows-donain-name>
Auth NTLMv2
PassNTLMv2 <hash>
Proxy <proxy-host:port>
NoProxy localhost, 127.0.0.*, 10.*, 192.168.*
Listen 3128
Start Cntlm with a simple script: start-proxy.cmd
cd %CNTLM_HOME%
rem verbose mode
cntlm -v -c cntlm.ini
rem verbose with logfile
rem cntlm -v -c cntlm.ini -T %CNTLM_HOME%\nctlm.log
rem test configuration
rem cntlm -c cntlm.ini -I -M http://google.com
Stop Cntlm server: stop-proxy.cmd
taskkill /IM cntlm.exe /F
Then you can create two cmd files which change Maven configuration as per your flavour:
mvn-internet.cmd
call java8.cmd
del %MAVEN_HOME%\conf\settings.xml
copy %MAVEN_HOME%\conf\settings.xml.internet %MAVEN_HOME%\conf\settings.xml
mvn-intranet.cmd
call java8.cmd
del %MAVEN_HOME%\conf\settings.xml
copy %MAVEN_HOME%\conf\settings.xml.nexus %MAVEN_HOME%\conf\settings.xml
settings.xml.internet
<settings xmlns=...>
<localRepository>...</localRepository>
<proxies>
<proxy>
<id>my-proxy</id>
<active>true</active>
<protocol>http</protocol>
<host>localhost</host>
<port>3128</port>
<nonProxyHosts>locahost</nonProxyHosts>
</proxy>
</proxies>
</settings>
settings.xml.nexus
<settings>
<localRepository>...</localRepository>
<mirrors>
<mirror>
<id>local-lalm</id>
<name>local-lalm</name>
<url>https://nexus.xxx...</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
<profiles>
<profile>
<id>use-local-repo</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>LALM-global</id>
<url>https://nexus.xxx...</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>LALM-global</id>
<url>https://nexus.xxx...</url>
</pluginRepository>
</pluginRepositories>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
</profile>
</profiles>
</settings>
Do the same with Git
git-internet.cmd
call java8.cmd
rem git config --global http.proxy username:password#localhost:3128
git config --global http.proxy localhost:3128
git-intranet.cmd
call java8.cmd
git config --global --unset http.proxy
Cunfigure IntelliJ
Set up IntelliJ to use proxy on localhost:3128
Set up Maven in IntelliJ: change Maven home directory and User settings file configs.
After that you will use the same Maven configuration within IntelliJ and command line so everythink will work on the same way from IDE and comand line.
You can use your new cmd files to change between use or not proxy server on the fly.
This configuration takes 10 mins. and after that you can forgot this proxy issue.
Ok, I have a java 6 project , in mac high sierra, project with a mongo dependency.
repositories {
mavenCentral()
}
dependencies {
compile 'org.mongodb:mongo-java-driver:2.14.3'
}
I get an ssl error when building it using gradle as follows:
FAILURE: Build failed with an exception.
What went wrong:
Could not resolve all dependencies for configuration ':runtime'.
Could not resolve org.mongodb:mongo-java-driver:2.14.3.
Required by:
:buildSrc:unspecified
Could not GET 'https://repo1.maven.org/maven2/org/mongodb/mongo-java-driver/2.14.3/mongo-java-driver-2.14.3.pom'.
peer not authenticated
org.gradle.api.artifacts.ResolveException: Could not resolve all dependencies for configuration ':runtime'.
...
Caused by: org.gradle.internal.resource.transport.http.HttpRequestException: Could not GET 'https://repo1.maven.org/maven2/org/mongodb/mongo-java-driver/2.14.3/mongo-java-driver-2.14.3.pom'.
...
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
I tried importing the security certificate into the cacerts but this didn't do it.
#from /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home//lib/security/
openssl s_client -showcerts -connect repo1.maven.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mavencert.pem
# from ~
$JAVA_HOME/bin/keytool -import -alias mavencert -keystore cacerts -file $JAVA_HOME/lib/security/mavencert.pem
# enter password: changeit
Upgrading to a never version of java is not a posiblity.
Please help.
The connection to https://repo1.maven.org using Java 6 fails because of the Java version you have installed does not support TLS1.2 and repo1.maven.org only supports TLS 1.2 connections.
If you really want to continue using Java 6 you need to install Java SE Development Kit 6, Update 111 or newer.
IMHO you should delete Java 6 (it is outdated and insecure) and install a current Oracle Java version. I assume your version is the one provided by Apple - AFAIK Apple has stopped support for their Java version. Therefore you should no longer use it.
I did with following steps but its throwing exception:
1.I have installed openam 10.0.0 on windows server 2003.
2.Configured tomcat with ssl on the same windows server machine.
3.It is configured correctly and openam url is accessible with https.
4.Installed openam client sdk on another machine which is ubuntu machine and from that ubuntu machin i am trying to login to openam server using
AuthContext lc = new AuthContext("/","https://server.ensarm.com:8443/openam/namingservice");
AuthContext.IndexType indexType = AuthContext.IndexType.MODULE_INSTANCE;
lc.login(indexType, "DataStore");
return lc;
But i am getting following exception:
ERROR: Naming service connection failed for https://server.ensarm.com:8443/openam/namingservice
com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I didn't understand what could be the problem.Is it due to to my java keystore (needed for ssl configuration) is on windows server machine and i have no keystore on ubuntu machine,
OR
need to import keystore into ubuntu machine.?? Please can anyone help me to get out of this.
“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:”
It means the server does not have a valid certificate from an Authorized CA.
You are facing this exception because you are try to connect through SSL (https). You would need to import the server certificate into the JRE KeyStore.
Perform the following steps to resolve it:
Getting the certificate: Type the URL (e.g. https://server.ensarm.com:8443/openam/namingservice) in your browser.
You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages.
Next step would be to install export the certificate and installing it in the jre keystore. Use keytool certificate management utility to perform thishttp://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html .
Exporting certificate: Go to Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) as e.g. mycert.cer.
Go to JRE\BIN and use the keytool -import command to import the file into your cacerts keystore.
E.g. keytool --import -alias MYCA -keystore ..\lib\security\cacerts -file c:\mycert.cer.
Enter keystore password: (by default it will be “changeit”).Input “yes” to the prompts.
Run command keytool -list -keystore ..\lib\security\cacerts . You will now see a list of all the certificates including the one you just added.