为什么Eclipse 2023-06 Maven依赖解析失败,显示“PKIX路径构建失败”?

huangapple go评论74阅读模式
英文:

Why does Eclipse 2023-06 Maven dependency resolution fail with "PKIX path building failed"?

问题

背景:在我们公司中,我们使用托管在HTTPS服务器上的Nexus Maven仓库,并配有公司证书。我们将Eclipse安装包提供为面向开发人员机器的Chocolatey软件包。

现有的Eclipse 2023-03包(以及之前的版本)可以正常工作,但从2023-06开始,我遇到了一个似乎无法解决的问题,UI会产生很多与"Maven依赖解析"有关的错误(与证书有关,"PKIX路径构建失败")。

我尝试过的方法:

  1. eclipse.ini 中使用使用公司证书的JDK安装(-vm选项;通常情况下这应该是正常的,但对于上述情况不起作用)。
  2. 替换Eclipse安装中附带的JRE中的 cacerts 文件(通常情况下这应该是正常的,但对于上述情况不起作用)。
  3. 为Maven传递恐怖的"忽略SSL"标志(作为 MAVEN_OPTS 或在 eclipse.ini 中 - 没有效果,仍然看到错误)。

我在Eclipse首选项UI中看到,“Maven依赖解析将始终使用内置的Maven安装”。对我来说,似乎我无法说服它使用我们公司的证书。在这个Eclipse版本中是否有什么变化?这可能是个错误吗?有人对如何说服(Eclipse的这一部分)使用我的证书来解决Maven依赖性的问题有建议吗?

谢谢!

更新: 基于问题的评论,附加信息如下:

我已经验证证书尚未过期;我有一个小的Java测试应用程序来访问HTTPS URL,并尝试使用各种JVM - 一切正常(也可以从Eclipse内部运行):

public class Demo {
  public static void main(final String[] args) throws Throwable {
    final String url = "https://COMPANYURL/";
    System.out.printf("trying to read from %s%n%n", url);
    final var target = new URL(url);
    try (final var in = new BufferedReader(new InputStreamReader(target.openStream()))) {
      String inputLine;
      while ((inputLine = in.readLine()) != null) {
        System.out.println(inputLine);
      }
    }
  }
}

我尝试将仓库主机添加到“首选项 > 安装/更新 > 信任 > 授权方”中,并尝试选中“信任所有内容”复选框(由于问题不是更新Eclipse插件,我想知道这在任何情况下是否相关)。但仍然出现相同的错误。

我将尝试在GitHub上提供一个最小可重现的示例,但这并不容易,需要时间(几天时间)。这将涉及以下步骤:

  • 安装Eclipse 2023-06
  • 运行一个(模拟?)需要“非标准证书”的Maven仓库
  • 将所需的证书添加到cacerts
  • 配置Maven设置以指向该Maven仓库
  • 导入一个Maven项目 - 查看错误/更新一个Maven项目 - 查看错误

最后,这是一个日志片段。我可以从中看出,DefaultUpdateCheckManager 似乎无法与仓库通信,尽管证书存在于JVM级别:

...
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
英文:

Background: In my company, we use a Nexus Maven repository hosted on a HTTPS server with company certificates. We provide Eclipse installations as chocolatey packages for developer machines.

An existing Eclipse 2023-03 package (as well as previous ones) is fine, but starting with 2023-06 I have a seemingly unfixable issue with the UI spitting a lot of errors on Maven dependency resolution (certificate related, "PKIX path building failed").

What I have tried:

  1. In eclipse.ini use a JDK installation that uses company certificates (-vm option; "normally" this works fine, but not for above case)
  2. Replace cacerts in the JRE shipping with the Eclipse installation ("normally" this works fine, but not for above case)
  3. Pass the dreaded "ignore SSL" flags for Maven (either as MAVEN_OPTS or in eclipse.ini - no effect, still seeing the error)

I see in the Eclipse Preferences UI that "Maven dependency resolution will always be performed with the embedded Maven installation". It just appears to me I cannot convince it to use my companies' certificates. Has something changed in this Eclipse version? Is this potentially a bug? Does anyone have a suggestion as to how to convince (this part of) Eclipse to use my certificates for Maven dependency resolution?

Thanks!

Update: Additional information, based on comments to the question:

I have verified that the certificates are not expired; I have a small Java test application to access the HTTPS URL, and tried with various JVMs - all good (can be run from inside Eclipse too):

public class Demo {
  public static void main(final String[] args) throws Throwable {
    final String url = "https://COMPANYURL/";
    System.out.printf("trying to read from %s%n%n", url);
    final var target = new URL(url);
    try (final var in = new BufferedReader(new InputStreamReader(target.openStream()))) {
      String inputLine;
      while ((inputLine = in.readLine()) != null) {
        System.out.println(inputLine);
      }
    }
  }
}

I tried to add the repository host to "Preferences > Install/Update > Trust > Authorities" and also tried with the "Trust all content" checkbox (since the problem is not with updating Eclipse plugins, I wonder if this is relevant in any case). The same error occurs.

I will try to give a minimal reproducible example on GitHub, but that is non-trivial and will take time (several day). This will involve

  • install Eclipse 2023-06
  • run a (simulated?) Maven repository that requires "non-standard certificates"
  • add required certificates to cacerts
  • configure Maven settings to point to that Maven repository
  • import a Maven project - see the error / update a Maven project - see the error

Finally, here is a log excerpt. All I can tell from it is that DefaultUpdateCheckManager seems unable to communicate with the repository, despite the certificates being present on JVM level:

!SESSION 2023-06-20 08:06:52.786 -----------------------------------------------
eclipse.buildId=4.28.0.20230608-1200
java.version=17.0.7
java.vendor=Eclipse Adoptium
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=en_US
Framework arguments:  -product org.eclipse.epp.package.jee.product
Command-line arguments:  -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.jee.product

!SUBENTRY 1 org.eclipse.m2e.core 4 0 2023-06-20 08:10:17.701
!MESSAGE Could not calculate build plan: Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
!STACK 0
org.apache.maven.plugin.PluginResolutionException: Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
	at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:125)
	at org.eclipse.m2e.core.internal.project.registry.EclipsePluginDependenciesResolver.resolve(EclipsePluginDependenciesResolver.java:47)
	at org.apache.maven.plugin.internal.DefaultMavenPluginManager.lambda$getPluginDescriptor$0(DefaultMavenPluginManager.java:178)
	at org.apache.maven.plugin.DefaultPluginDescriptorCache.lambda$get$0(DefaultPluginDescriptorCache.java:72)
	at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
	at org.apache.maven.plugin.DefaultPluginDescriptorCache.get(DefaultPluginDescriptorCache.java:70)
	at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getPluginDescriptor(DefaultMavenPluginManager.java:176)
	at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getMojoDescriptor(DefaultMavenPluginManager.java:266)
	at org.apache.maven.plugin.DefaultBuildPluginManager.getMojoDescriptor(DefaultBuildPluginManager.java:214)
	at org.apache.maven.lifecycle.internal.DefaultLifecycleExecutionPlanCalculator.setupMojoExecution(DefaultLifecycleExecutionPlanCalculator.java:155)
	at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.lambda$5(MavenProjectFacade.java:547)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
	at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.setupMojoExecution(MavenProjectFacade.java:543)
	at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.getMojoExecution(MavenProjectFacade.java:525)
	at org.eclipse.m2e.core.project.configurator.AbstractCustomizableLifecycleMapping.getBuildParticipants(AbstractCustomizableLifecycleMapping.java:71)
	at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.lambda$1(MavenBuilder.java:107)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:228)
	at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.lambda$0(MavenBuilder.java:100)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:214)
	at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.execute(MavenBuilder.java:83)
	at org.eclipse.m2e.core.internal.builder.MavenBuilder.build(MavenBuilder.java:192)
	at org.eclipse.core.internal.events.BuildManager$2.run(BuildManager.java:1020)
	at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
	at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:247)
	at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:303)
	at org.eclipse.core.internal.events.BuildManager$1.run(BuildManager.java:392)
	at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
	at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:395)
	at org.eclipse.core.internal.events.BuildManager.basicBuildLoop(BuildManager.java:506)
	at org.eclipse.core.internal.events.BuildManager.basicBuildLoop(BuildManager.java:454)
	at org.eclipse.core.internal.events.BuildManager.build(BuildManager.java:536)
	at org.eclipse.core.internal.events.AutoBuildJob.doBuild(AutoBuildJob.java:196)
	at org.eclipse.core.internal.events.AutoBuildJob.run(AutoBuildJob.java:289)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
	at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:242)
	at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:172)
	at org.eclipse.aether.internal.impl.DefaultRepositorySystem.readArtifactDescriptor(DefaultRepositorySystem.java:268)
	at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:104)
	... 37 more
Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: The following artifacts could not be resolved: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 (absent): org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:456)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:261)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:242)
	at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:231)
	... 40 more
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.newException(DefaultUpdateCheckManager.java:214)
	at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.checkArtifact(DefaultUpdateCheckManager.java:180)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.gatherDownloads(DefaultArtifactResolver.java:565)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads(DefaultArtifactResolver.java:504)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:433)
	... 43 more

答案1

得分: 1

谢谢howlger为您的帮助!

事实上,原来的“解析失败”已经在我的本地仓库中被缓存。从一个空的仓库开始可以正常工作。我还验证了在从我的本地仓库中删除以下文件后,解析也能正常工作:

在${localrepo}目录下查找类型为文件、名称为m2e-lastUpdated.properties的文件并删除:-exec rm {} ;
在${localrepo}目录下查找类型为文件、名称匹配“*.lastUpdated”的文件并删除:-exec rm {} ;

所以,解析失败可能是由于JVM在没有所需证书的情况下进行解析的时间。有点不幸的是,这种情况一直存在(我本来希望最后一次更新的“缓存”,特别是解析失败的尝试,会过期)。

英文:

Well, that is a bit curious. Thank you howlger for your assistance!

Indeed, it turns out that the "failed resolution" was cached in my local repository. Starting from an empty repository works. I also verified that after deleting the following files from my local repository the resolution works as well:

find ${localrepo} -type f -name m2e-lastUpdated.properties -exec rm {} \;
find ${localrepo} -type f -name "*.lastUpdated" -exec rm {} \;

So, the failed resolution probably came from a time when the JVM did not have the required certificates. It is a bit unfortunate that this turned out to be persistent (I would have expected the last update "cache" to expire, especially for failed resolution attempts).

huangapple
  • 本文由 发表于 2023年6月19日 22:58:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/76507849.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定