Maven: Failed to retrieve plugin descriptor and peer not authenticated errors despite the settings.xml having repositories configured with HTTPS

Question

I have Maven 3.0.5 with Java 8 setup (that's for particular project and stack versions won't be revised).

I'm aware of Apache's new decision to force all the Maven repositories to only use HTTPS, otherwise Maven clients won't be able to speak to the repository servers.

It seems like I have configured all necessary settings in ~/.m2/settings.xml but for some reason, when I any build phase (say mvn clean), Maven defaults to HTTP and doesn't care about settings.xml - it still attempts to download references/dependencies with HTTP protocol.

Example of my settings.xml (For simplicity, I removed project specific things and left only problem-related stuff):

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                    https://maven.apache.org/xsd/settings-1.0.0.xsd">
<repositories>
  <repository>
    <id>central</id>
    <url>https://repo1.maven.org/maven2/</url>
  </repository>

  <repository>
    <id>central</id>
    <url>https://repo.maven.apache.org/maven2/</url>
  </repository>
</repositories>

and here is what I'm getting when I do mvn archetype:generate, just to test the behaviour of Maven (the problem is persistent for any other command that tries to reach servers out):

[INFO] Scanning for projects... 

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-clean-plugin:2.5: Plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-clean-plugin:jar:2.5

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-install-plugin/2.3/maven-install-plugin-2.3.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-install-plugin:2.3: Plugin org.apache.maven.plugins:maven-install-plugin:2.3 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-install-plugin:jar:2.3

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-deploy-plugin/2.7/maven-deploy-plugin-2.7.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-deploy-plugin:2.7: Plugin org.apache.maven.plugins:maven-deploy-plugin:2.7 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-deploy-plugin:jar:2.7

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-site-plugin/3.0/maven-site-plugin-3.0.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-site-plugin:3.0: Plugin org.apache.maven.plugins:maven-site-plugin:3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-site-plugin:jar:3.0

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-antrun-plugin/1.3/maven-antrun-plugin-1.3.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-antrun-plugin:1.3: Plugin org.apache.maven.plugins:maven-antrun-plugin:1.3 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-antrun-plugin:jar:1.3

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-assembly-plugin/2.2-beta-5/maven-assembly-plugin-2.2-beta-5.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-assembly-plugin:2.2-beta-5: Plugin org.apache.maven.plugins:maven-assembly-plugin:2.2-beta-5 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-assembly-plugin:jar:2.2-beta-5

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-dependency-plugin/2.1/maven-dependency-plugin-2.1.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-dependency-plugin:2.1: Plugin org.apache.maven.plugins:maven-dependency-plugin:2.1 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-dependency-plugin:jar:2.1

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-release-plugin/2.0/maven-release-plugin-2.0.pom
[WARNING] Failed to retrieve plugin descriptor for org.apache.maven.plugins:maven-release-plugin:2.0: Plugin org.apache.maven.plugins:maven-release-plugin:2.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-release-plugin:jar:2.0

Downloading: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadata.xml

Downloading: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-metadata.xml

[WARNING] Could not transfer metadata org.apache.maven.plugins/maven-metadata.xml from/to central (http://repo.maven.apache.org/maven2): Failed to transfer file: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-metadata.xml. Return code is: 501 , ReasonPhrase:HTTPS Required.

[WARNING] Could not transfer metadata org.codehaus.mojo/maven-metadata.xml from/to central (http://repo.maven.apache.org/maven2): Failed to transfer file: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadata.xml. Return code is: 501 , ReasonPhrase:HTTPS Required.

[WARNING] Failure to transfer org.apache.maven.plugins/maven-metadata.xml from http://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced.

Original error: Could not transfer metadata org.apache.maven.plugins/maven-metadata.xml from/to central (http://repo.maven.apache.org/maven2): Failed to transfer file: http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-metadata.xml. Return code is: 501 , ReasonPhrase:HTTPS Required.

[WARNING] Failure to transfer org.codehaus.mojo/maven-metadata.xml from http://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced.

Original error: Could not transfer metadata org.codehaus.mojo/maven-metadata.xml from/to central (http://repo.maven.apache.org/maven2): Failed to transfer file: http://repo.maven.apache.org/maven2/org/codehaus/mojo/maven-metadata.xml. Return code is: 501 , ReasonPhrase:HTTPS Required.

What shall I do? as you see, it still uses HTTP, and I, correspondingly, get HTTP 501.

Answer 1

There were two problems:

Problem 1:
[WARNING] Failed to retrieve plugin descriptor for .. (whatever plugin name) warnings during almost any build phase, which says that (important>) the retrieval of plugin descriptors or its dependencies (which means plugins, and not the project dependencies!) is not going successful.

Here, Maven attempts to communicate with the end-point machine (repository) via HTTP, despite the fact(!), that I have customized my configuration .m2\settings.xml file and all the repository definition entries are with HTTPS, respectively, seems like Maven should be trying everything via HTTPS ..but no, it uses HTTP for plugins, and any HTTP communication with Maven repositories is forbidden since the 15th of January, 2020.

The way I resolved this is to define and configure <profiles/> and <pluginRepositories/> as @carlspring suggested, but I had to elaborate and expand that answer a bit.

So, here is my ready working settings.xml example: (note, that just to be safe, I provided alternative repositories in both - profiles and repositories)

<settings
        xmlns="http://maven.apache.org/SETTINGS/1.0.0"                                                                                                                                     $    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
        https://maven.apache.org/xsd/settings-1.0.0.xsd">

    <profiles>
        <profile>
            <id>ssl-profile</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>

            <repositories>
                <repository>
                    <id>central-1</id>
                    <url>https://repo1.maven.org/maven2</url>
                    <snapshots>
                        <enabled>false</enabled>
                    </snapshots>
                </repository>
            </repositories>
            
            <pluginRepositories>
                <pluginRepository>
                    <id>central-2</id>
                    <url>https://repo1.maven.org/maven2</url>
                    <snapshots>
                        <enabled>false</enabled>
                    </snapshots>
                </pluginRepository>
            </pluginRepositories>
        </profile>

        <repositories>
            <repository>
                <id>central1</id>
                <url>https://repo1.maven.org/maven2/</url>
            </repository>
            <repository>
                <id>central2</id>
                <url>https://repo.maven.apache.org/maven2/</url>
            </repository>
        </repositories>
    </profiles>
</settings>

After this was resolved, and finally Maven attempted to connect to all the repositories via HTTPS, I then had another,

Problem 2:
peer not authenticated followed by Return code is: 501 , ReasonPhrase:HTTPS Required.

This was a bit tricky, but the way of solving this is to play with truststore cacerts file.

First, check whether you have truststore file cacerts and whether it's empty. it must NOT be empty and this is very important.

It seems like, in the OpenJDK 11 and in some other builds for Windows/Linux systems, cacerts file is either missing or present, but empty; however, according to my observation, it was present in Oracle JDK builds.

• On Windows builds, it should be under %JAVA_HOME%\lib\security\;
• On Linux builds, it may vary (depending on Linux distribution and your setup), but in my case, it was under /etc/ssl/certs (and I think that's Linux's certificates folder, not particularly Java's one).

If you see, that cacerts file is either absent or empty (simply check the file size, it should be larger than few bits), you can either:

• Simply copy-paste existing cacerts file from some other JDK/JRE build;
• Generate a cacerts truststore file and add certificate(s) to it. In this case, you will need to add as many certificates as you need, so, maybe it's easier to go with just a copy-paste variant.

I hope this helps.

Answer 2

In your case, it seems to be working for dependencies, but not for plugins. You need to define a <profile> that is activeByDefault and contains a <pluginRepositories/> section for both snapshot and releases.

Maven has two types of repositories:

• For dependencies

• For plugins

The <mirrorOf> section only handles dependency repositories.

Answer 3

I would suggest to go the following path:

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">

  <mirrors>
    <mirror>
      <id>central</id>
      <name>central</name>
      <url>https://repo1.maven.org/maven2/</url>
      <mirrorOf>*</mirrorOf>
    </mirror>
  </mirrors>

</settings>

This will redirect all request via the above URL. If you have a repository manager inside of your corporate environment it's better to use this one and let the repo manager handle the https stuff.

Also an upgrade of Maven to most recent version 3.6.3 and I supose you are not using the most recent versions of plugins which I strongly recommend to upgrade there had been a lot of improvements.