Maven "PKIX path building failed" (TLS) - Fix Repository Trust
Maven made an HTTPS connection to the repository, but the JDK could not build a trust chain to a root CA it knows. The certificate is fine; the JVM truststore simply does not contain the issuing CA.
What this error means
Resolution from an HTTPS repo fails with PKIX path building failed: ... unable to find valid certification path to requested target. Public Central often works while an internal Nexus or a TLS-intercepting proxy fails.
[ERROR] Failed to execute goal ... Could not transfer artifact
com.example:lib:jar:2.3.1 from/to nexus (https://nexus.example.com/...):
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested targetCommon causes
Internal CA not in the JDK truststore
A private Nexus/Artifactory signed by a corporate CA is not trusted by the default cacerts, so the JVM cannot validate the chain.
TLS-intercepting proxy re-signs traffic
A man-in-the-middle proxy (Zscaler, corporate firewall) replaces the server cert with its own. Without that proxy CA imported, every HTTPS transfer fails PKIX validation.
How to fix it
Import the CA into a truststore
Add the repository or proxy CA to the JDK truststore (or a custom one) so the chain validates.
keytool -importcert -noprompt \
-alias corp-ca -file corp-ca.crt \
-keystore "$JAVA_HOME/lib/security/cacerts" \
-storepass changeitPoint Maven at a custom truststore
Avoid editing the system cacerts by passing a job-local truststore through MAVEN_OPTS.
export MAVEN_OPTS="-Djavax.net.ssl.trustStore=/ci/truststore.jks \
-Djavax.net.ssl.trustStorePassword=changeit"
mvn -B verifyHow to prevent it
- Bake the corporate/proxy CA into the CI runner image or a versioned truststore.
- Prefer a custom truststore via MAVEN_OPTS over mutating the JDK cacerts.
- Document which repos sit behind a TLS-intercepting proxy.