Skip to content
Latchkey

Maven "peer not authenticated" - Fix TLS Handshake in CI

The TLS handshake to the repository did not complete with a verified server identity, so Maven reports peer not authenticated. The server presented no usable certificate chain that the JVM could verify.

What this error means

Transfers fail with Could not transfer artifact ...: peer not authenticated (a javax.net.ssl.SSLPeerUnverifiedException). It is a handshake failure, not a 4xx - authentication never got as far as HTTP.

mvn output
[ERROR] Failed to execute goal ... Could not transfer artifact
org.example:lib:jar:1.0 from/to central (https://repo.example.com/...):
peer not authenticated

Common causes

Incomplete or untrusted certificate chain

The server sent no intermediate certs, or the chain is signed by a CA the JVM truststore does not contain, so the peer cannot be authenticated.

Outdated truststore or protocol mismatch

An old JDK with a stale cacerts, or one that negotiates a deprecated TLS version the server rejects, fails the handshake before identity is verified.

How to fix it

Update the JDK and its truststore

A current JDK ships an up-to-date cacerts and modern TLS defaults, which resolves most handshake failures.

Terminal
java -version          # confirm a current JDK
# import the chain if the CA is internal:
keytool -importcert -alias repo-ca -file chain.pem \
  -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit

Inspect the chain the server presents

Verify what the repository actually sends so you know which CA/intermediate to trust.

Terminal
openssl s_client -connect repo.example.com:443 -showcerts </dev/null

How to prevent it

  • Keep the CI JDK current so cacerts and TLS defaults stay fresh.
  • Ensure internal repos serve a complete certificate chain.
  • Import internal CAs into the runner truststore at image-build time.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →