Maven snapshot dependency

Question

There are two projects P-m and P-d. They are separate Jenkins projects that can be built separately. P-m depends on P-d and it is a snapshot version dependency.

Recently an issue occurs during building P-m. It complains of not being able to download P-d jar from the remote repository with this error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException

Though the error suggests a possible issue with JVM certificate, it looks like not as other jars from the same remote repository can be downloaded successfully.

If manually builds P-d first (local repository has a P-d snapshot jar and remote repository has the deployed timestamped P-d jar), then builds P-m, it works OK as it does not try to download P-d jar from remote repository.
But a few days later, without any change of P-d, when P-m builds (this time P-d is not manually built), it invokes a packaging of P-d dynamically which I didn't figure out why. In this case, local repository has the P-d snapshot jar from last time, and the remote repository has a newly deployed timestamp P-d jar. It then tries to download this new timestamp P-d jar from remote repository and cannot download the jar with error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException

Please help with the following questions (not sure if it matters: the maven version used is 3.6.3):

1. Is maven supposed to build the dependency on the fly or just use the latest one in the repositories? For example, P-m depends on P-d. Will P-m just uses the latest version of P-d in repository (and if P-d jar is not available, it complains cannot find P-d), or will P-m builds P-d each time when P-m builds? What decides which behavior? I observed the 2nd case (each time P-m builds, it packages a new P-d jar in remote repository without installing P-d jar to local repository) and I didn't figure out why----what makes it generate a new P-d jar (only the timestamped P-d jar deployed to remote repository without a new snapshot P-d jar in local repository) and do not use the latest P-d jar?

2. Why cannot the newly generated P-d jar be downloaded with an "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException"? Any clue what could be wrong? As mentioned earlier, all other jars can be downloaded successfully from the same remote repository except this newly generated P-d jar, so it seems not a JVM certificate issue in building machine.

Answer 1

The error indicates problems with SSL certificates. I guess the remote repository is accessible via https, and it may have changed it's certificate so the client does no longer trust the server and refuses to communicate. It need not even be the remote repository server. Your organization setting up a proxy server that mangles SSL connections is sufficient for this error to occur.

You describe the problem does not exist if the projects get built locally - this is when the repository server does not have to be contacted which supports above theory.

Check a tutorial like https://resources.weboffice.vertigis.com/Documentation/WebOffice102/EN/howto_install_certs_to_truststore.htm (there are many out there) how to add your repository's public certificate to your maven's truststore.

But to answer your questions:

1. Maven is not supposed to automatically build the dependencies unless they are subprojects of the current project (this refers to multi module projects). It will try to access the already compiled dependencies from the repository, preferring the local one (which also caches) above the remote.

2. Did you verify Maven still downloads other dependencies? After all they get cached, so unless you clear the cache or modify your dependencies (name/version) there is no need to do that again - and you mention this recently occurred. To clean the cache check out https://stackoverflow.com/a/22671261/4222206