Details
-
Type:
Improvement
-
Status:
Open
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: Issues to be reviewed for 3.x
-
Fix Version/s: Issues to be reviewed for 3.x
-
Component/s: Artifacts and Repositories, Command Line, Deployment
-
Labels:None
-
Complexity:Intermediate
Description
Development environments often use ssl-certificates which are self-signed or signed by company-internal
certification authorities.
If the certificate is unknown maven outputs the following message:
—
INFO] Scanning for projects...
[INFO] snapshot de.foo.bar:bar-parent:0.0.1-SNAPSHOT: checking for updates from snapshots
[WARNING] repository metadata for: 'snapshot de.foo.bar:bar-parent:0.0.1-SNAPSHOT' could not be retrieved from repository: snapshots due to an error: Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[INFO] Repository 'snapshots' will be blacklisted
—
This is disastrous form usability point of view 
Procedures like this are very not very convenient for developers:
—
$JAVA_HOME/bin/keytool -import -alias UserTrustExternalCARoot -file UserTrustExternalCARoot.crt -keystore $JAVA_HOME/jre/lib/security/jssecacerts
export MAVEN_OPTS="-Djavax.net.ssl.keyStore=$HOME/.keystore \
-Djavax.net.ssl.keyStorePassword=changeit \
-Djavax.net.ssl.trustStore=$HOME/.keystore \
-Djavax.net.ssl.trustStorePassword=changeit"
mvn -Dusername=foo deploy
—
Maven should provide an convenient way to accept a unknown certificate.
I my opinion this should implemented like this:
- If the exceptions is raised maven should output a message that the certificate can by downloaded
and integrated in the keystore in an automated way by invoking the new maven option
"dc <hostname> ..<hostname>|-download-certificate <hostname> <hostname>" - If this option is invoked, maven automatically downloads the certificate/ca for the specified
domain and adds it to a keystore located in $HOME/.m2/keystores/<domain> an executes the specified goal
with this keystore - If maven is called without the new option, maven uses the keystores in $HOME/.m2/keystores/<domain>
before giving up on certificate problems