英文:
Why does Eclipse 2023-06 Maven dependency resolution fail with "PKIX path building failed"?
问题
背景:在我们公司中,我们使用托管在HTTPS服务器上的Nexus Maven仓库,并配有公司证书。我们将Eclipse安装包提供为面向开发人员机器的Chocolatey软件包。
现有的Eclipse 2023-03包(以及之前的版本)可以正常工作,但从2023-06开始,我遇到了一个似乎无法解决的问题,UI会产生很多与"Maven依赖解析"有关的错误(与证书有关,"PKIX路径构建失败")。
我尝试过的方法:
- 在
eclipse.ini中使用使用公司证书的JDK安装(-vm选项;通常情况下这应该是正常的,但对于上述情况不起作用)。 - 替换Eclipse安装中附带的JRE中的
cacerts文件(通常情况下这应该是正常的,但对于上述情况不起作用)。 - 为Maven传递恐怖的"忽略SSL"标志(作为
MAVEN_OPTS或在eclipse.ini中 - 没有效果,仍然看到错误)。
我在Eclipse首选项UI中看到,“Maven依赖解析将始终使用内置的Maven安装”。对我来说,似乎我无法说服它使用我们公司的证书。在这个Eclipse版本中是否有什么变化?这可能是个错误吗?有人对如何说服(Eclipse的这一部分)使用我的证书来解决Maven依赖性的问题有建议吗?
谢谢!
更新: 基于问题的评论,附加信息如下:
我已经验证证书尚未过期;我有一个小的Java测试应用程序来访问HTTPS URL,并尝试使用各种JVM - 一切正常(也可以从Eclipse内部运行):
public class Demo {
public static void main(final String[] args) throws Throwable {
final String url = "https://COMPANYURL/";
System.out.printf("trying to read from %s%n%n", url);
final var target = new URL(url);
try (final var in = new BufferedReader(new InputStreamReader(target.openStream()))) {
String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
}
}
}
}
我尝试将仓库主机添加到“首选项 > 安装/更新 > 信任 > 授权方”中,并尝试选中“信任所有内容”复选框(由于问题不是更新Eclipse插件,我想知道这在任何情况下是否相关)。但仍然出现相同的错误。
我将尝试在GitHub上提供一个最小可重现的示例,但这并不容易,需要时间(几天时间)。这将涉及以下步骤:
- 安装Eclipse 2023-06
- 运行一个(模拟?)需要“非标准证书”的Maven仓库
- 将所需的证书添加到cacerts
- 配置Maven设置以指向该Maven仓库
- 导入一个Maven项目 - 查看错误/更新一个Maven项目 - 查看错误
最后,这是一个日志片段。我可以从中看出,DefaultUpdateCheckManager 似乎无法与仓库通信,尽管证书存在于JVM级别:
...
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
英文:
Background: In my company, we use a Nexus Maven repository hosted on a HTTPS server with company certificates. We provide Eclipse installations as chocolatey packages for developer machines.
An existing Eclipse 2023-03 package (as well as previous ones) is fine, but starting with 2023-06 I have a seemingly unfixable issue with the UI spitting a lot of errors on Maven dependency resolution (certificate related, "PKIX path building failed").
What I have tried:
- In
eclipse.iniuse a JDK installation that uses company certificates (-vmoption; "normally" this works fine, but not for above case) - Replace
cacertsin the JRE shipping with the Eclipse installation ("normally" this works fine, but not for above case) - Pass the dreaded "ignore SSL" flags for Maven (either as
MAVEN_OPTSor ineclipse.ini- no effect, still seeing the error)
I see in the Eclipse Preferences UI that "Maven dependency resolution will always be performed with the embedded Maven installation". It just appears to me I cannot convince it to use my companies' certificates. Has something changed in this Eclipse version? Is this potentially a bug? Does anyone have a suggestion as to how to convince (this part of) Eclipse to use my certificates for Maven dependency resolution?
Thanks!
Update: Additional information, based on comments to the question:
I have verified that the certificates are not expired; I have a small Java test application to access the HTTPS URL, and tried with various JVMs - all good (can be run from inside Eclipse too):
public class Demo {
public static void main(final String[] args) throws Throwable {
final String url = "https://COMPANYURL/";
System.out.printf("trying to read from %s%n%n", url);
final var target = new URL(url);
try (final var in = new BufferedReader(new InputStreamReader(target.openStream()))) {
String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
}
}
}
}
I tried to add the repository host to "Preferences > Install/Update > Trust > Authorities" and also tried with the "Trust all content" checkbox (since the problem is not with updating Eclipse plugins, I wonder if this is relevant in any case). The same error occurs.
I will try to give a minimal reproducible example on GitHub, but that is non-trivial and will take time (several day). This will involve
- install Eclipse 2023-06
- run a (simulated?) Maven repository that requires "non-standard certificates"
- add required certificates to cacerts
- configure Maven settings to point to that Maven repository
- import a Maven project - see the error / update a Maven project - see the error
Finally, here is a log excerpt. All I can tell from it is that DefaultUpdateCheckManager seems unable to communicate with the repository, despite the certificates being present on JVM level:
!SESSION 2023-06-20 08:06:52.786 -----------------------------------------------
eclipse.buildId=4.28.0.20230608-1200
java.version=17.0.7
java.vendor=Eclipse Adoptium
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=en_US
Framework arguments: -product org.eclipse.epp.package.jee.product
Command-line arguments: -os win32 -ws win32 -arch x86_64 -product org.eclipse.epp.package.jee.product
!SUBENTRY 1 org.eclipse.m2e.core 4 0 2023-06-20 08:10:17.701
!MESSAGE Could not calculate build plan: Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
!STACK 0
org.apache.maven.plugin.PluginResolutionException: Plugin org.apache.maven.plugins:maven-resources-plugin:3.3.0 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:125)
at org.eclipse.m2e.core.internal.project.registry.EclipsePluginDependenciesResolver.resolve(EclipsePluginDependenciesResolver.java:47)
at org.apache.maven.plugin.internal.DefaultMavenPluginManager.lambda$getPluginDescriptor$0(DefaultMavenPluginManager.java:178)
at org.apache.maven.plugin.DefaultPluginDescriptorCache.lambda$get$0(DefaultPluginDescriptorCache.java:72)
at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
at org.apache.maven.plugin.DefaultPluginDescriptorCache.get(DefaultPluginDescriptorCache.java:70)
at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getPluginDescriptor(DefaultMavenPluginManager.java:176)
at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getMojoDescriptor(DefaultMavenPluginManager.java:266)
at org.apache.maven.plugin.DefaultBuildPluginManager.getMojoDescriptor(DefaultBuildPluginManager.java:214)
at org.apache.maven.lifecycle.internal.DefaultLifecycleExecutionPlanCalculator.setupMojoExecution(DefaultLifecycleExecutionPlanCalculator.java:155)
at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.lambda$5(MavenProjectFacade.java:547)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.setupMojoExecution(MavenProjectFacade.java:543)
at org.eclipse.m2e.core.internal.project.registry.MavenProjectFacade.getMojoExecution(MavenProjectFacade.java:525)
at org.eclipse.m2e.core.project.configurator.AbstractCustomizableLifecycleMapping.getBuildParticipants(AbstractCustomizableLifecycleMapping.java:71)
at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.lambda$1(MavenBuilder.java:107)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:228)
at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.lambda$0(MavenBuilder.java:100)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:214)
at org.eclipse.m2e.core.internal.builder.MavenBuilder$BuildMethod.execute(MavenBuilder.java:83)
at org.eclipse.m2e.core.internal.builder.MavenBuilder.build(MavenBuilder.java:192)
at org.eclipse.core.internal.events.BuildManager$2.run(BuildManager.java:1020)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:247)
at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:303)
at org.eclipse.core.internal.events.BuildManager$1.run(BuildManager.java:392)
at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
at org.eclipse.core.internal.events.BuildManager.basicBuild(BuildManager.java:395)
at org.eclipse.core.internal.events.BuildManager.basicBuildLoop(BuildManager.java:506)
at org.eclipse.core.internal.events.BuildManager.basicBuildLoop(BuildManager.java:454)
at org.eclipse.core.internal.events.BuildManager.build(BuildManager.java:536)
at org.eclipse.core.internal.events.AutoBuildJob.doBuild(AutoBuildJob.java:196)
at org.eclipse.core.internal.events.AutoBuildJob.run(AutoBuildJob.java:289)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:3.3.0
at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:242)
at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:172)
at org.eclipse.aether.internal.impl.DefaultRepositorySystem.readArtifactDescriptor(DefaultRepositorySystem.java:268)
at org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver.resolve(DefaultPluginDependenciesResolver.java:104)
... 37 more
Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: The following artifacts could not be resolved: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 (absent): org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:456)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:261)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:242)
at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:231)
... 40 more
Caused by: org.eclipse.aether.transfer.ArtifactTransferException: org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 failed to transfer from https://COMPANYURL/repository/public-maven during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of UBSMavenRepository has elapsed or updates are forced. Original error: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:3.3.0 from/to UBSMavenRepository (https://COMPANYURL/repository/public-maven): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.newException(DefaultUpdateCheckManager.java:214)
at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.checkArtifact(DefaultUpdateCheckManager.java:180)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.gatherDownloads(DefaultArtifactResolver.java:565)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads(DefaultArtifactResolver.java:504)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:433)
... 43 more
答案1
得分: 1
谢谢howlger为您的帮助!
事实上,原来的“解析失败”已经在我的本地仓库中被缓存。从一个空的仓库开始可以正常工作。我还验证了在从我的本地仓库中删除以下文件后,解析也能正常工作:
在${localrepo}目录下查找类型为文件、名称为m2e-lastUpdated.properties的文件并删除:-exec rm {} ;
在${localrepo}目录下查找类型为文件、名称匹配“*.lastUpdated”的文件并删除:-exec rm {} ;
所以,解析失败可能是由于JVM在没有所需证书的情况下进行解析的时间。有点不幸的是,这种情况一直存在(我本来希望最后一次更新的“缓存”,特别是解析失败的尝试,会过期)。
英文:
Well, that is a bit curious. Thank you howlger for your assistance!
Indeed, it turns out that the "failed resolution" was cached in my local repository. Starting from an empty repository works. I also verified that after deleting the following files from my local repository the resolution works as well:
find ${localrepo} -type f -name m2e-lastUpdated.properties -exec rm {} \;
find ${localrepo} -type f -name "*.lastUpdated" -exec rm {} \;
So, the failed resolution probably came from a time when the JVM did not have the required certificates. It is a bit unfortunate that this turned out to be persistent (I would have expected the last update "cache" to expire, especially for failed resolution attempts).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论