Why does Eclipse 2023-06 Maven dependency resolution fail with "PKIX path building failed"?

Question

Background: In my company, we use a Nexus Maven repository hosted on a HTTPS server with company certificates. We provide Eclipse installations as chocolatey packages for developer machines.

An existing Eclipse 2023-03 package (as well as previous ones) is fine, but starting with 2023-06 I have a seemingly unfixable issue with the UI spitting a lot of errors on Maven dependency resolution (certificate related, "PKIX path building failed").

What I have tried:

1. In eclipse.ini use a JDK installation that uses company certificates (-vm option; "normally" this works fine, but not for above case)
2. Replace cacerts in the JRE shipping with the Eclipse installation ("normally" this works fine, but not for above case)
3. Pass the dreaded "ignore SSL" flags for Maven (either as MAVEN_OPTS or in eclipse.ini - no effect, still seeing the error)

I see in the Eclipse Preferences UI that "Maven dependency resolution will always be performed with the embedded Maven installation". It just appears to me I cannot convince it to use my companies' certificates. Has something changed in this Eclipse version? Is this potentially a bug? Does anyone have a suggestion as to how to convince (this part of) Eclipse to use my certificates for Maven dependency resolution?

Thanks!

Update: Additional information, based on comments to the question:

I have verified that the certificates are not expired; I have a small Java test application to access the HTTPS URL, and tried with various JVMs - all good (can be run from inside Eclipse too):

public class Demo {
  public static void main(final String[] args) throws Throwable {
    final String url = "https://COMPANYURL/";
    System.out.printf("trying to read from %s%n%n", url);
    final var target = new URL(url);
    try (final var in = new BufferedReader(new InputStreamReader(target.openStream()))) {
      String inputLine;
      while ((inputLine = in.readLine()) != null) {
        System.out.println(inputLine);
      }
    }
  }
}

I tried to add the repository host to "Preferences > Install/Update > Trust > Authorities" and also tried with the "Trust all content" checkbox (since the problem is not with updating Eclipse plugins, I wonder if this is relevant in any case). The same error occurs.

I will try to give a minimal reproducible example on GitHub, but that is non-trivial and will take time (several day). This will involve

• install Eclipse 2023-06
• run a (simulated?) Maven repository that requires "non-standard certificates"
• add required certificates to cacerts
• configure Maven settings to point to that Maven repository
• import a Maven project - see the error / update a Maven project - see the error

Finally, here is a log excerpt. All I can tell from it is that DefaultUpdateCheckManager seems unable to communicate with the repository, despite the certificates being present on JVM level:

!SESSION 2023-06-20 08:06:52.786 -----------------------------------------------
eclipse.buildId=4.28.0.20230608-1200
java.version=17.0.7
java.vendor=Eclipse Adoptium
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=en_US
Framework arguments:  -product org.eclipse.epp.package.jee.product
Command-line arguments:  -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.jee.product

!SUBENTRY 1 org.eclipse.m2e.core 4 0 2023-06-20 08:10:17.701
!MESSAGE Could not calculate build plan: Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
!STACK 0
org.apache.maven.plugin.PluginResolutionException: Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
    at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:125)
    at org.eclipse.m2e.core.internal.project.registry.EclipsePluginDependenciesResolver.resolve(EclipsePluginDependenciesResolver.java:47)
    at org.apache.maven.plugin.internal.DefaultMavenPluginManager.lambda$getPluginDescriptor$0(DefaultMavenPluginManager.java:178)
    at org.apache.maven.plugin.DefaultPluginDescriptorCache.lambda$get$0(DefaultPluginDescriptorCache.java:72)
    at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
    at org.apache.maven.plugin.DefaultPluginDescriptorCache.get(DefaultPluginDescriptorCache.java:70)
    at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getPluginDescriptor(DefaultMavenPluginManager.java:176)
    at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getMojoDescriptor(DefaultMavenPluginManager.java:266)
    at org.apache.maven.plugin.DefaultBuildPluginManager.getMojoDescriptor(DefaultBuildPluginManager.java:214)
    at org.apache.maven.lifecycle.internal.DefaultLifecycleExecutionPlanCalculator.setupMojoExecution(DefaultLifecycleExecutionPlanCalculator.java:155)
    at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.lambda$5(MavenProjectFacade.java:547)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
    at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.setupMojoExecution(MavenProjectFacade.java:543)
    at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.getMojoExecution(MavenProjectFacade.java:525)
    at org.eclipse.m2e.core.project.configurator.AbstractCustomizableLifecycleMapping.getBuildParticipants(AbstractCustomizableLifecycleMapping.java:71)
    at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.lambda$1(MavenBuilder.java:107)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:228)
    at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.lambda$0(MavenBuilder.java:100)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
    at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:214)
    at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.execute(MavenBuilder.java:83)
    at org.eclipse.m2e.core.internal.builder.MavenBuilder.build(MavenBuilder.java:192)
    at org.eclipse.core.internal.events.BuildManager$2.run(BuildManager.java:1020)
    at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
    at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:247)
    at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:303)
    at org.eclipse.core.internal.events.BuildManager$1.run(BuildManager.java:392)
    at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
    at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:395)
    at org.eclipse.core.internal.events.BuildManager.basicBuildLoop(BuildManager.java:506)
    at org.eclipse.core.internal.events.BuildManager.basicBuildLoop(BuildManager.java:454)
    at org.eclipse.core.internal.events.BuildManager.build(BuildManager.java:536)
    at org.eclipse.core.internal.events.AutoBuildJob.doBuild(AutoBuildJob.java:196)
    at org.eclipse.core.internal.events.AutoBuildJob.run(AutoBuildJob.java:289)
    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
    at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:242)
    at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:172)
    at org.eclipse.aether.internal.impl.DefaultRepositorySystem.readArtifactDescriptor(DefaultRepositorySystem.java:268)
    at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:104)
    ... 37 more
Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: The following artifacts could not be resolved: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 (absent): org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:456)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:261)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:242)
    at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:231)
    ... 40 more
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.newException(DefaultUpdateCheckManager.java:214)
    at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.checkArtifact(DefaultUpdateCheckManager.java:180)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.gatherDownloads(DefaultArtifactResolver.java:565)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads(DefaultArtifactResolver.java:504)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:433)
    ... 43 more

Answer 1

Well, that is a bit curious. Thank you howlger for your assistance!

Indeed, it turns out that the "failed resolution" was cached in my local repository. Starting from an empty repository works. I also verified that after deleting the following files from my local repository the resolution works as well:

find ${localrepo} -type f -name m2e-lastUpdated.properties -exec rm {} \;
find ${localrepo} -type f -name "*.lastUpdated" -exec rm {} \;

So, the failed resolution probably came from a time when the JVM did not have the required certificates. It is a bit unfortunate that this turned out to be persistent (I would have expected the last update "cache" to expire, especially for failed resolution attempts).