Maven "peer not authenticated" - Fix TLS Handshake in CI
The TLS handshake to the repository did not complete with a verified server identity, so Maven reports peer not authenticated. The server presented no usable certificate chain that the JVM could verify.
What this error means
Transfers fail with Could not transfer artifact ...: peer not authenticated (a javax.net.ssl.SSLPeerUnverifiedException). It is a handshake failure, not a 4xx - authentication never got as far as HTTP.
[ERROR] Failed to execute goal ... Could not transfer artifact
org.example:lib:jar:1.0 from/to central (https://repo.example.com/...):
peer not authenticatedCommon causes
Incomplete or untrusted certificate chain
The server sent no intermediate certs, or the chain is signed by a CA the JVM truststore does not contain, so the peer cannot be authenticated.
Outdated truststore or protocol mismatch
An old JDK with a stale cacerts, or one that negotiates a deprecated TLS version the server rejects, fails the handshake before identity is verified.
How to fix it
Update the JDK and its truststore
A current JDK ships an up-to-date cacerts and modern TLS defaults, which resolves most handshake failures.
java -version # confirm a current JDK
# import the chain if the CA is internal:
keytool -importcert -alias repo-ca -file chain.pem \
-keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeitInspect the chain the server presents
Verify what the repository actually sends so you know which CA/intermediate to trust.
openssl s_client -connect repo.example.com:443 -showcerts </dev/nullHow to prevent it
- Keep the CI JDK current so cacerts and TLS defaults stay fresh.
- Ensure internal repos serve a complete certificate chain.
- Import internal CAs into the runner truststore at image-build time.