How do you get Maven to accept invalid SSL certificates?
11,433
You can simply disable Maven SSL validation by adding these options to the command line :
-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true
Related videos on Youtube
Author by
Joe
Updated on September 23, 2022Comments
-
Joe over 1 year
My company keeps the Maven dependencies on a server that has an invalid SSL certificate. We must use https to connect. When I try to run Maven, it cannot download the resources.
I know the name of the site I am trying to go to. I'd be happy to either add a security exception for the site, or just shut off all the validation of ssl certificates so that all https sites will be considered valid.
I am using Maven 3.0.4.
Here are some highlights of the stack trace when I try to build:
Caused by: org.sonatype.aether.transfer.ArtifactTransferException: Could not transfer artifact org.apache.maven:maven-plugin-api:pom:2.0.6 from/to NexusExternal (<code>https</code>: //mydumbcompanysbrokensite:8443/nexus/content/groups/public): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: org.apache.maven.wagon.TransferFailedException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
-
Steffen Ullrich over 9 yearsA major part of https is to identity the peer to make sure you talk to the expected server. If you switch of validation of the certificate you allow man-in-the-middle attacks. In this case you have to ask yourself why you use https at all.
-
Joe over 9 yearsI'm sorry, but the two comments above are both silly. I work for a business and business isn't supposed to make sense. I am trying to do my job. I know my company is illogical and its security is atrocious. When you work for a business, you are fool if you try to improve the business. Your job is to do your job. Like I said, a completely valid solution would be to just accept all certificates.
-
Bruno over 9 years"You are fool if you try to improve the business": I agree there are situation where you can't improve an situation that is not ideal, but not trying, really? As an employee, trying to improve the business generally is your job, at least in the broad sense. It might not be up to you to make the decisions, but pointing out what's wrong to your management or other parts of the company should be part of your job (at least until you're told "no, we won't fix this", for whatever reason). It might also benefit you in the short term for your task at hand.
-