Maven - unable to find valid certification path

Question

I'm new to maven and am having trouble adding a dependency (sl4j). I was given this project which was apparently converted to maven from ant. Btw, a clean install doesn't work. Here's the pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.xxx.tools</groupId>
    <artifactId>someName</artifactId>
    <version>1.0</version>
    <name>A Name</name>
    <description>Description</description>

    <properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
    </properties>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-shade-plugin</artifactId>
                <version>3.1.0</version>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>shade</goal>
                        </goals>
                        <configuration>
                            <transformers>
                                <transformer
                                    implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                                    <mainClass>com.MyClient</mainClass>
                                </transformer>
                            </transformers>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

It give the following message on a clean install:

`ERROR] Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:3.1.0:shade (default) on project xxxx: Execution default of goal org.apache.maven.plugins:maven-shade-plugin:3.1.0:shade failed: Plugin org.apache.maven.plugins:maven-shade-plugin:3.1.0 or one of its dependencies could not be resolved: Failed to collect dependencies at org.apache.maven.plugins:maven-shade-plugin:jar:3.1.0 -> org.apache.maven:maven-plugin-api:jar:3.0 -> org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2 -> org.codehaus.plexus:plexus-component-annotations:jar:1.6: Failed to read artifact descriptor for org.codehaus.plexus:plexus-component-`annotations:jar:1.6: Could not transfer artifact org.codehaus.plexus:plexus-component-annotations:pom:1.6 from/to central (https://repo.maven.apache.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help

Answer 1

If you're working in Intellij IDEA just place into [Maven > Importing > VM Options for importer] field

-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true

You have to do it event if you're using .mvn/maven.config file (at Maven tab) with similar content.

Answer 2

Before istalling the keytool in your jdk you can download .crt file from browser

open the URL is browser click the URL left lock icon

then click connection is secure: and click right side crt icone just before close icon

click the detail on popup and click on Export button and save the file on your drive

After saving the file your can use the keytool to store the certificate in you jdk

keytool -trustcacerts -keystore "$env:JAVA_HOME\lib\security\cacerts" -storepass changeit -importcert  -file "$env:TEMP\repo.maven.apache.org.crt"

Answer 3

I know it's quite late to answer this, but if some one like me reaches this point, then for JDK11 and maven 3.6.3 (recently @mavaddat-javid verified using Maven 4.0.0-alpha-4 and JDK 19.0.2) you can use the following:

1. Open the link of your secured Artifactory in a browser (e.g., https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-archetype-plugin/3.1.2/maven-archetype-plugin-3.1.2.pom)
2. Download the certificate in "DER-encoded binary, single certificate format"
3. If you have same JDK in your path then run the following command otherwise first navigate to %JAVA_HOME%\bin then run this command :

keytool -trustcacerts -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>

for example in PowerShell (cd $env:JAVA_HOME\bin first):

keytool -trustcacerts -keystore "$env:JAVA_HOME\lib\security\cacerts" -storepass changeit -importcert  -file "$env:TEMP\repo.maven.apache.org.crt"

where -alias <alias_name> is an optional alias param (you can choose to omit).

4. Please note that it started working only after adding the certificate to cacert file under %JAVA_HOME%\lib\security not under %JAVA_HOME%\jre\lib\security

Answer 4

Your Maven is trying to download an indirect dependency from Maven Central Repository located at https://repo.maven.apache.org/maven2, which is a secured HTTP server (HTTPS). Maybe there's some certificate issue on your Java installation or some security rule on you network infrastructure preventing the access.

First try to access that very URL on you browser and check if it's operational. If you can access the website, the problem is not on your network. Problably you'll need to fix your Java trusted certificates list somehow in order to accept that server. Have a look at this question/answer: "PKIX path building failed" and "unable to find valid certification path to requested target"

But if you really can't access the Maven Central Repo with HTTPS from your browser, maybe it's because you are behind some proxy rule that is keeping you from download the server certificate. Of course it won't work with Maven either. Then, have a look at this another question/answer: Problems using Maven and SSL behind proxy

Answer 5

So for the many of us behind a corporate proxy - there are always issues.

In this case my corporate proxy's certificate was not in my Java cacerts file but it was in my browser's trust store.

I solved this error by the following process (in October 2022 - no future guarantees here).

1. Open the missing download as a link in my browser (Chrome Version 106.0.5249.103 (Official Build) (64-bit))
2. Open the security context menu by clicking on the lock icon next to the URL
3. Expand "Connection is Secure"
4. Click on "Certificate is Valid"
5. Go to the "Details" tab and click "Export"

This created a crt file in my Downloads folder. Now I need to add the .crt file to my java cacerts (NOTE: this should the version of java that Maven or other build tool runs in - in my case in Intellij IDEA it is in the "Project Structure" settings. You may have multiple instances of Java and a separate cacerts file in each.)

Next I used "keytool" to import the .crt file into my cacerts file - I followed this Stack Overflow answer: how to add .crt file to keystore and trust store.

keytool -trustcacerts -keystore "cacerts" -storepass changeit -importcert -alias testalias -file "/opt/ssl/test.crt"

Modifying the paths and passwords as needed to match my situation.

A shortcut for identifying the location of the cacerts file is %JAVA_HOME%/lib/security (on windows command prompt) or $env:JAVA_HOME/lib/security in PowerShell. This will only work if your JAVA_HOME is set to match your IDE Project's settings. If you're building in an IDE (and who isn't?) then the IDE will control the Java environment used to run Maven (or other build tool).

As soon as I imported the .crt file of my corporate proxy into the correct cacerts file - my Maven builds started working again.

One day in the future - I would like to simply tell my IDE and Java to simply grab whatever trust store my company configures in my browser. That technology would be like magic.

Answer 6

Try the build project by pointing to correct certificate

mvn clean install -Djavax.net.ssl.trustStore=<path to certificate>