Maven https repository with self-signed ssl certificate
For a private project I try to use nexus behind apache and ssl. I used a self-signed certificate.
But each nexus repository request ends with a security exception:
[WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-enforcer-plugin' could not be retrieved from repository: nexus-plugin-releases due to an error: Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I found many site for that problem and they describe always the same solution
import the self signed cert in your local truststore!
… here are the steps:
- download the certificate
- create a local truststore and import the certificat
- call maven with the correct security properties
The import is simple (java keytool):
keytool.exe -importcert -alias nexus-xxx -keystore xxx.jks -storepass secret -file xxx.crt
For maven I’m using a cygwin bash alias:
alias mvn_xxx='/cygdrive/d/maven-2.2.1/bin/mvn -gs "d:/maven-2.2.1/conf/settings-xxx.xml" -s "d:/maven-2.2.1/conf/settings-xxx.xml" -Djavax.net.ssl.trustStore=d:/maven-2.2.1/conf/xxx.jks -Djavax.net.ssl.trustStorePassword=secret'
I point the global config (-gs) and the personal config (-s) to the same file to ignore other configuration from my default maven config file (i.e. common mirros settings / repositories etc.).
And at least here is my complete maven setting-nexus settings:
<?xml version="1.0" encoding="UTF-8"?> <settings xmlns="http://maven.apache.org/settings/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd"> <localRepository>D:\maven-repository-xxx</localRepository> <mirrors> <mirror> <id>xxx-nexus-snapshots</id> <mirrorOf>nexus-snapshots</mirrorOf> <url>https://nexus.xxx.com/content/groups/public-snapshots/</url> </mirror> <mirror> <id>xxx-nexus-snapshots</id> <mirrorOf>nexus-plugin-snapshots</mirrorOf> <url>https://nexus.xxx.com/content/groups/public-snapshots/</url> </mirror> <mirror> <id>xxx-nexus-releases</id> <mirrorOf>nexus-releases</mirrorOf> <url>https://nexus.xxx.com/content/groups/public/</url> </mirror> <mirror> <id>xxx-nexus-releases</id> <mirrorOf>nexus-plugin-releases</mirrorOf> <url>https://nexus.xxx.com/content/groups/public/</url> </mirror> <mirror> <id>xxx-nexus-releases</id> <mirrorOf>*</mirrorOf> <url>https://nexus.xxx.com/content/groups/public/</url> </mirror> </mirrors> <profiles> <profile> <id>xxx-nexus-mirror</id> <activation> <activeByDefault>true</activeByDefault> </activation> <repositories> <repository> <id>nexus-releases</id> <url>http://foobar</url> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> </repository> <repository> <id>nexus-snapshots</id> <url>http://foobar</url> <releases> <enabled>false</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>nexus-plugin-releases</id> <url>http://foobar</url> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> </pluginRepository> <pluginRepository> <id>nexus-plugin-snapshots</id> <url>http://foobar</url> <releases> <enabled>false</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </pluginRepository> </pluginRepositories> </profile> </profiles> <servers> <server> <id>xxx-nexus-releases</id> <username>foo</username> <password>bar</password> </server> <server> <id>xxx-nexus-snapshots</id> <username>foo</username> <password>bar</password> </server> </servers> </settings>
You can replace xxx with your personal domain-alias.
Very helpful post, thanks for taking the time to document this!
I streamlined the command a little bit by setting MAVEN_OPTS to hold the -Dxxx options. So you would then have:
MAVEN_OPTS=-Djavax.net.ssl.trustStore=d:/maven-2.2.1/conf/xxx.jks -Djavax.net.ssl.trustStorePassword=secret
And you could run the command like this:
mvn -gs xxx -s xxx clean install