[Solved] PKIX Path Building Failed: Unable to Find Valid Certification Path to Requested Target

The problem

It may happen to you that when you try and pull some Java dependencies, you will get the annoying PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target error.

It may look something like this:

Could not transfer artifact org.springframework.boot:spring-boot-starter-parent:pom:2.4.0 from/to tpvr-ibm (https://nexus-***.***.***.***:8081/nexus/content/repositories/tpvr-ibm): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The solution (recommended)

1. Go to URL in your browser:
   • firefox – click on HTTPS certificate chain (the lock icon right next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer
   • chrome – click on site icon left to address in address bar, select “Certificate” -> “Details” -> “Export” and save in format “Der-encoded binary, single certificate”.
2. Now you have file with keystore and you have to add it to your JVM. Determine location of cacerts files
   • Windows: C:\Program Files (x86)\Java\jre1.8.0_22\lib\security\cacerts
   • Mac: /Library/Java/JavaVirtualMachines/jdk1.8.0_221.jdk/Contents/Home/jre/lib/security/cacerts
3. Next import the example.cer file into cacerts in command line:

What commands to run

Navigate to the security path:

cd /Library/Java/JavaVirtualMachines/jdk1.8.0_221.jdk/Contents/Home/jre/lib/security

Run the keytool and import the certificate file into the cacerts store:

keytool -import -alias example -keystore cacerts -file /path/to/example.cer

You will be asked for password which default is changeit

Restart your JVM/PC.

Keytool command reference

keytool -trustcacerts -keystore "%JAVA_HOME%jre\lib\security\cacerts" -storepass changeit -importcert -alias <alias_name> -file <path_to_crt_file>

Some other things you can follow

• copy a valid cacerts file from the Oracle or any other vendors’ JDK into the $JAVA_HOME/lib/security/
• copy a valid cacerts file from the Oracle or any other vendors’ JRE into the $JAVA_HOME/jre/lib/security/

An alternative solution (development)

As an alternative, you can simply disable SSL validation.

Make sure to only do this while in development mode. Doing this in production is not recommended is unsafe.

-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true

The above are two command-line arguments to turn SSL off at runtime.