How to tell Maven to disregard SSL errors (and trusting all certs)?

Question

I frequently need to run "mvn" command :

mvn -f pom.xml clean install -Dmaven.test.skip=false --settings /Users/myhome/settings.xml -X -Djavax.net.ssl.trustStore=/Users/myhome/truststore.jks -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=dummy -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -U

As I need to integrate with various other domains, so currently every time I have to add their certificate to my truststore.jks to prevent SSL handshake errors.

Is there any way I can configure mvn to ignore SSL errors.

score 375 · Accepted Answer · edited Mar 07 '23 at 20:24

375

You can disable SSL certificate checking by adding one or more of these command line parameters:

-Dmaven.wagon.http.ssl.insecure=true - enable use of relaxed SSL check for user generated certificates.
-Dmaven.wagon.http.ssl.allowall=true - enable match of the server's X.509 certificate with hostname. If disabled, a browser like check will be used.
-Dmaven.wagon.http.ssl.ignore.validity.dates=true - ignore issues with certificate dates.
Dmaven.resolver.transport=wagon - In Maven 3.9.0 and newer, they've switched to using Apache HttpClient 4 by default. You need to use this to switch back to wagon for the above flags to work.

Official documentation: http://maven.apache.org/wagon/wagon-providers/wagon-http/

Here's the oneliner for an easy copy-and-paste:

-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true

Ajay Gautam suggested that you could also add the above to the ~/.mavenrc file as not to have to specify it every time at command line:

$ cat ~/.mavenrc 
MAVEN_OPTS="-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true"

edited Mar 07 '23 at 20:24

ArtOfWarfare

20,617
19
137
193

answered Jan 21 '14 at 18:49

rec

10,340
3
29
43

2

I have spring boot /maven project and I am using maven-jaxb2-plugin to generate sources of a webservice. but the certificate expired. So I tried running the maven generate sources with the above agruments in Eclipse. But I still get the error " timestamp check failed " any idea how to solve it in an eclipse / maven environment. – Mukun Feb 16 '16 at 04:50
31

The answer does not work for me. I am using maven 3.5.0 and the exceptions I received was `PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target`. Does wagon work with MAven 3.5.0? – thlim May 22 '17 at 08:56
Instead, I created a truststore jks and pointed maven to this jks file. – thlim May 22 '17 at 09:54
3

By Installing the Java Cryptography Extension (JCE) Unlimited Strength (for [JDK7](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) | for [JDK8](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)) fix issue for me on maven 3.5.0 – skadya Aug 04 '17 at 12:22
1

Using netbeans 6.8 I added the options to the netbeans maven options under 'Global Execution Options' through the UI and I was able to download from repositories using https. – Dan675 Oct 15 '17 at 23:11
1

With Maven 3.3.9 this does not work. I had to use Richard's answer below, adding the insecure mirror to my settings.xml. – Mike Jun 11 '18 at 13:35
Dan675, Works like a charm! – dimson Jan 23 '20 at 10:22
Where to add those proprieties? – Salman Nov 08 '20 at 11:17
2

Please note that `maven.wagon.http.ssl.ignore.validity.dates=true` only works once you set `maven.wagon.http.ssl.insecure=true` as well. – Björn Zurmaar Jan 08 '21 at 14:31
-Dmaven.wagon.http.ssl.insecure=true worked for me, running from behind a client proxy that intercepts on SSL. – joezen777 Jun 11 '21 at 16:31
I get an error as if I'm using a bad syntax: `mvn install -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true -DskipTests --batch-mode --no-transfer-progress` ==> `[ERROR] Unknown lifecycle phase ".wagon.http.ssl.insecure=true". You must specify a valid lifecycle phase or a goal in the format : or :[:]:. Available lifecycle phases are: validate, initialize, generate-sources, process-sources, generate-resources, .... -> [Help 1]` – Max Cascone Feb 25 '22 at 21:04
7

If you're on Maven 3.9.0, you also need to add this: `-Dmaven.resolver.transport=wagon` – ArtOfWarfare Mar 07 '23 at 20:22

score 50 · Answer 2 · edited Mar 26 '18 at 13:37

50

An alternative that worked for me is to tell Maven to use http: instead of https: when using Maven Central by adding the following to settings.xml:

<settings>
   .
   .
   .
  <mirrors>
    <mirror>
        <id>central-no-ssl</id>
        <name>Central without ssl</name>
        <url>http://repo.maven.apache.org/maven2</url>
        <mirrorOf>central</mirrorOf>
    </mirror>
  </mirrors>
   .
   .
   .
</settings>

Your mileage may vary of course.

edited Mar 26 '18 at 13:37

dbreaux

4,982
1
25
64

answered Oct 10 '17 at 11:27

Richard Steele

2,227
1
15
14

2

Thanks, that worked! And please a note to revert once SSL works because this could lead to users adding non-standard repositories which could host who knows what – asgs Oct 11 '17 at 14:27
11

This doesn't work since Jan 2020 because Maven repo disabled http connection – Justin Feb 10 '20 at 18:27
2

Will get this error since Jan 2020: ReasonPhrase:HTTPS Required" , because Maven repo disabled Http connection – Justin Feb 10 '20 at 18:48
This worked for me. However, I had to add https instead in the URL. Not sure why. – Michael Jul 19 '21 at 18:13
2

This won't work because unsecured http connections are 501 blocked as of Jan 2020. It impacts a few more places than just Central. JCenter, Spring, and Gradle repos are https required too. Read more: Jan 2020, https://www.alphabot.com/security/blog/2020/java/Your-Java-builds-might-break-starting-January-13th.html – Matthew Dowell Aug 22 '21 at 15:33

Nicola Ben · Answer 3 · 2018-07-06T07:51:29.060

46

Create a folder ${USER_HOME}/.mvn and put a file called maven.config in it.

The content should be:

-Dmaven.wagon.http.ssl.insecure=true
-Dmaven.wagon.http.ssl.allowall=true
-Dmaven.wagon.http.ssl.ignore.validity.dates=true

Hope this helps.

edited Jul 06 '18 at 07:51

answered Feb 05 '18 at 11:46

Nicola Ben

10,615
8
41
65

2

I succeed on directly using those parameters on the command line, but still failed when adding them into the file – Justin Feb 10 '20 at 18:36
3

This should actually be configured on project level. http://maven.apache.org/configure.html#mvn-folder – Adam Ostrožlík Jan 22 '21 at 09:38
worked like a charm. I was able to do it under console but not within the IDE – Davut Gürbüz Jun 03 '21 at 12:02

score 2 · Answer 4 · answered Apr 17 '23 at 08:47

If for any reason maven.config should not work:

Try set the content as a environment variable.

Example:

MAVEN_OPTS="-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true Dmaven.wagon.http.ssl.ignore.validity.dates=true -Dhttps.protocols=TLSv1.2"

After setting the environment variable, you can simply run your mvn command.

For a short test you can set the environment variable for a session

Powershell:

$env:MAVEN_OPTS="-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true -Dhttps.protocols=TLSv1.2"

Bash:

export MAVEN_OPTS="-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true -Dhttps.protocols=TLSv1.2"

CMD:

set MAVEN_OPTS="-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true -Dhttps.protocols=TLSv1.2"

I can confirm that these flags were the only ones that worked for me in late April 2023. Thank you. — sueszli, Apr 27 '23 at 08:19

score 1 · Answer 5 · answered Jul 07 '21 at 16:28

I found that the latest jdk16 will fail SSL certificates so I have to use the -Dmaven.wagon.http.ssl.ignore.validity.dates=true to work around; switching to jdk11(LTS) then all problems are gone.

Also jdk1.8 was tested too, which also worked without any parameters; but jdk1.8 is in in no-update mode, better move on to the LTS jdk versions, but not the latest jdk16.

score 0 · Answer 6 · answered Sep 19 '17 at 16:32

0

You can also configure m2e to use HTTP instead of HTTPS

force-m2e-to-use-http-instead-of-https

answered Sep 19 '17 at 16:32

bcarroll

1,727
16
14

score 0 · Answer 7 · answered Jul 28 '21 at 18:07

If you want to put all the same maven.wagon.http.ssl. settings into ~/.m2/settings.xml instead of ~/.mavenrc, this is what you need to put in the file:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
  <profiles>
    <profile>
      <id>definedInM2SettingsXML</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <properties>
        <maven.wagon.http.ssl.insecure>true</maven.wagon.http.ssl.insecure>
        <maven.wagon.http.ssl.allowall>true</maven.wagon.http.ssl.allowall>
        <maven.wagon.http.ssl.ignore.validity.dates>true</maven.wagon.http.ssl.ignore.validity.dates>
      </properties>
    </profile>
  </profiles>
</settings>

score 0 · Answer 8 · answered Aug 14 '23 at 12:57

0

Refer to https://maven.apache.org/resolver/configuration.html, just set aether.connector.https.securityMode=insecure. It works for me with Maven 3.9.4.

answered Aug 14 '23 at 12:57

lhy

1
1

How to tell Maven to disregard SSL errors (and trusting all certs)?

8 Answers8

Linked