Resolve PKIX path building failed

Problem:

I was trying to get spring-cloud-server started on my laptop and I was getting:

Downloaded: http://repo.spring.io/libs-snapshot/org/codehaus/mojo/maven-metadata.xml (21 KB at 16.6 KB/sec)
[WARNING] Could not transfer metadata org.apache.maven.plugins/maven-metadata.xml from/to central (https://repo.maven.apache.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[WARNING] Could not transfer metadata org.codehaus.mojo/maven-metadata.xml from/to central (https://repo.maven.apache.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause:

The issue is I don't have a valid certificate for http://repo.spring.io.

Solution:

Step 1: Get the certificate from the location. In this case it is: http://repo.spring.io.

Here's how:

I used Firefox to browse to the link. On the top left there is a lock icon. Click on it > Click on the right arrow to get to information > Click on More Information > Click on View Certificate > Click on Details > Click on Export and save the certificate on your drive as a file say: Certificate.cer.

** It's important you chose X.509 Certificate (PEM) as the type.

Step 2: Now that you have downloaded the certificate, you need to install the certificate on your machine.

On my machine I did this:

keytool -import -file ~/Downloads/Certificate.cer -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts -alias <your_custom_alias_name>

Of course the location of your java's cacerts might be different. To find out the location of cacerts directory, do:

echo $JAVA_HOME

In my case the output of echo $JAVA_HOME was: /Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home. Then I just looked for cacerts directory in it and found it to be at: jre/lib/security/cacerts

Note:
  • -alias foo_bar is important so that you don't override default alias which goes to my_key. Of course foo_bar is an example and not a good alias name. You should use a more descriptive alias name than foo_bar ;-)
  • If you dont't want to install a certificate you can also do below:

export MAVEN_OPTS="$MAVEN_OPTS -Djavax.net.ssl.trustStore=/Users/rhasija/Downloads/Certificate.cer"

This will solve the problem for maven but not necessarily for java.

Summary

The problem was java was missing the certificate from a specific website, in my case, http://repo.spring.io. So I got the certificate file using Step 1 and then imported the certificate in my machine's java cacerts using keytool as show in Step 2.

Hope you found this information helpful. Please let me know if you have any questions.

References: