5

My company keeps the Maven dependencies on a server that has an invalid SSL certificate. We must use https to connect. When I try to run Maven, it cannot download the resources.

I know the name of the site I am trying to go to. I'd be happy to either add a security exception for the site, or just shut off all the validation of ssl certificates so that all https sites will be considered valid.

I am using Maven 3.0.4.

Here are some highlights of the stack trace when I try to build:

Caused by: org.sonatype.aether.transfer.ArtifactTransferException: Could not transfer artifact
org.apache.maven:maven-plugin-api:pom:2.0.6 from/to NexusExternal (<code>https</code>:
//mydumbcompanysbrokensite:8443/nexus/content/groups/public): 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target

...

Caused by: org.apache.maven.wagon.TransferFailedException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification 
path to requested target
Joe
  • 7,922
  • 18
  • 54
  • 83
  • Get them to spend the dough and fix the certificate. It isn't worth wasting the time of an expensive software developer on this. – user207421 Aug 15 '14 at 00:40
  • 1
    A major part of https is to identity the peer to make sure you talk to the expected server. If you switch of validation of the certificate you allow man-in-the-middle attacks. In this case you have to ask yourself why you use https at all. – Steffen Ullrich Aug 15 '14 at 01:05
  • 4
    I'm sorry, but the two comments above are both silly. I work for a business and business isn't supposed to make sense. I am trying to do my job. I know my company is illogical and its security is atrocious. When you work for a business, you are fool if you try to improve the business. Your job is to do your job. Like I said, a completely valid solution would be to just accept all certificates. – Joe Aug 15 '14 at 03:07
  • Which plugins do you use? Which maven version do you use? Cause based on the excerpt it looks like an older plugin/maven version? – khmarbaise Aug 15 '14 at 06:38
  • 2
    "*You are fool if you try to improve the business*": I agree there are situation where you can't improve an situation that is not ideal, but *not trying*, really? As an employee, trying to improve the business generally *is* your job, at least in the broad sense. It might not be up to you to make the decisions, but pointing out what's wrong to your management or other parts of the company should be part of your job (at least until you're told "no, we won't fix this", for whatever reason). It might also benefit you in the short term for your task at hand. – Bruno Aug 15 '14 at 10:32

1 Answers1

8

You can simply disable Maven SSL validation by adding these options to the command line :

-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
lolo101
  • 400
  • 4
  • 7