Configuring m2e-core to allow self signed certificate ?

[glhez]

Hello,

I do have an internal Nexus repository with SSL enabled, but with a self signed certificate.

In Maven I could add the certificate using the following commands:

"${JAVA_17_HOME}/bin/keytool" -J-Duser.language=en -printcert -rfc -sslserver "privaterepo:8443" > foobar.pem
"${JAVA_17_HOME}/bin/keytool" -J-Duser.language=en -import -trustcacerts -cacerts -file foobar.pem -alias "privaterepo-nexus" -storepass PASSWORD

Performing a mvn clean install -U worked fine.

But when I am in Eclipse, this fails despite the cacerts.

From the trace found in error logs (and below), I can see that m2e-core is using Aether and okhttp3 (https://github.com/takari/aether-connector-okhttp/blob/master/src/main/java/io/takari/aether/okhttp/OkHttpAetherClient.java#L112).

The JDK is the same (and point to JAVA_17_HOME).

Is there a way to configuring the whole to allow self signed certificate ?

The full trace:

org.eclipse.core.runtime.CoreException: Could not resolve artifact org.eclipse.persistence:org.eclipse.persistence.asm:jar:javadoc:2.7.0
	at org.eclipse.m2e.core.internal.embedder.MavenImpl.lambda$6(MavenImpl.java:587)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:364)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:227)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:213)
	at org.eclipse.m2e.core.internal.embedder.MavenImpl.resolve(MavenImpl.java:556)
	at org.eclipse.m2e.core.internal.embedder.MavenImpl.resolve(MavenImpl.java:541)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.download(DownloadSourcesJob.java:308)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.downloadAttachments(DownloadSourcesJob.java:294)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.downloadMaven(DownloadSourcesJob.java:252)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.downloadFilesAndPopulateToUpdate(DownloadSourcesJob.java:220)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.lambda$0(DownloadSourcesJob.java:149)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:364)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:274)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:213)
	at org.eclipse.m2e.core.embedder.IMaven.execute(IMaven.java:294)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.run(DownloadSourcesJob.java:149)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Contains: Could not transfer artifact org.eclipse.persistence:org.eclipse.persistence.asm:jar:javadoc:2.7.0 from/to nexus (https://privaterepo:8443/repository/cache): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.eclipse.aether.transfer.ArtifactTransferException: Could not transfer artifact org.eclipse.persistence:org.eclipse.persistence.asm:jar:javadoc:2.7.0 from/to nexus (https://privaterepo:8443/repository/cache): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at io.takari.aether.connector.AetherRepositoryConnector$2.wrap(AetherRepositoryConnector.java:889)
	at io.takari.aether.connector.AetherRepositoryConnector$2.wrap(AetherRepositoryConnector.java:1)
	at io.takari.aether.connector.AetherRepositoryConnector$GetTask.flush(AetherRepositoryConnector.java:659)
	at io.takari.aether.connector.AetherRepositoryConnector.get(AetherRepositoryConnector.java:337)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads(DefaultArtifactResolver.java:514)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:402)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:229)
	at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:207)
	at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact(DefaultRepositorySystem.java:262)
	at org.eclipse.m2e.core.internal.embedder.MavenImpl.lambda$6(MavenImpl.java:565)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:364)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:227)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:213)
	at org.eclipse.m2e.core.internal.embedder.MavenImpl.resolve(MavenImpl.java:556)
	at org.eclipse.m2e.core.internal.embedder.MavenImpl.resolve(MavenImpl.java:541)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.download(DownloadSourcesJob.java:308)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.downloadAttachments(DownloadSourcesJob.java:294)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.downloadMaven(DownloadSourcesJob.java:252)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.downloadFilesAndPopulateToUpdate(DownloadSourcesJob.java:220)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.lambda$0(DownloadSourcesJob.java:149)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:364)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:274)
	at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:213)
	at org.eclipse.m2e.core.embedder.IMaven.execute(IMaven.java:294)
	at org.eclipse.m2e.jdt.internal.DownloadSourcesJob.run(DownloadSourcesJob.java:149)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:107)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:87)
	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
	at okhttp3.RealCall.execute(RealCall.java:81)
	at io.takari.aether.okhttp.OkHttpAetherClient.execute(OkHttpAetherClient.java:215)
	at io.takari.aether.okhttp.OkHttpAetherClient.get(OkHttpAetherClient.java:161)
	at io.takari.aether.connector.AetherRepositoryConnector$GetTask.getResponse(AetherRepositoryConnector.java:655)
	at io.takari.aether.connector.AetherRepositoryConnector$GetTask.resumableGet(AetherRepositoryConnector.java:600)
	at io.takari.aether.connector.AetherRepositoryConnector$GetTask.run(AetherRepositoryConnector.java:481)
	at io.takari.aether.connector.AetherRepositoryConnector$DirectExecutor.execute(AetherRepositoryConnector.java:915)
	at io.takari.aether.connector.AetherRepositoryConnector.get(AetherRepositoryConnector.java:331)
	... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 60 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 65 more

[laeubi]

I don't think this is something you can configure at m2eclipe, you probbaly can configure this on maven, but I more suspect that your assumption

The JDK is the same (and point to JAVA_17_HOME).

is wrong, has you checked that the JVM running eclipse is pointing to the JAVA_17_HOME?
Help > About Eclipse > Installation Details > System Information and then filter for java.jome

[glhez]

I've checked: path is the same (java.home=E:\apps\portable\java\latest\openjdk-17-hotspot).

I'm not sure how to proceed next to verify what trust store it use?

And before asking, I did a little bit of search: https://stackoverflow.com/questions/23103174/does-okhttp-support-accepting-self-signed-ssl-certs

I don't know if this means that I'd need to roll up a fork of aether which would be kind of complicated, or if somewhere okhttp3 handle that nicely (I would have thought it would).

[laeubi]

I don't know if this means that I'd need to roll up a fork of aether which would be kind of complicated, or if somewhere okhttp3 handle that nicely (I would have thought it would).

This would indeed be complicated as you would need to build a custom m2e as well. And as m2e uses the same "maven" as when you call it from the commandline so why should it work there and not from within eclipse? Have you made sure that the same settings.xml are used on commandline/eclipse and that the same maven version is used?

[glhez]

In the past, I already had divergence between maven and m2e: eclipse-lemminx/lemminx-maven#221
So I would never say that maven and m2e behave exactly the same way even with same settings. :)

Beside, in Eclipse, the dependency resolution is made by the embedded runtime (at least, that's what the Preferences > Maven > Installations screens says): that and the issue mentioned above make me think there is another location.

[laeubi]

Then please provide a minimal reproducible testcase as a PR to deomonstrate the problem.

[glhez]

Another problem which make me thing the resolution does not even use the settings.xml - or at least, not all its content: I have set in my settings.xml a <tools.jar>${env.JAVA8_HOME}/lib/tools.jar</tools.jar> property in an enabled profile because we still use jaxb 2.11 and we do have a warning in Eclipse due to the parent pom referencing a system dependency:

The POM for com.sun.xml.bind:jaxb-xjc:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available: 1 problem was encountered while building the effective model for com.sun.xml.bind:jaxb-xjc:2.2.11
[ERROR] 'dependencyManagement.dependencies.dependency.systemPath' for com.sun:tools:jar must specify an absolute path but is ${tools.jar} @ 

This one spams warnings.
But the tools.jar property is visible in the Effective POM tab of one of any pom with this warning.

@laeubi I've no problem with a test case, but I don't think it will be "simple": it still requires a Nexus repository as a proxy for central in settings.xml with a self signed certificate.

[laeubi]

A testcase should include e.g an embedded jetty server that uses a custom ssl certificate, a full nexus server is not required.

[glhez]

I ran the whole in debug and ran into this error while trying to reproduce my issue:

SSLPeerUnverifiedException: Hostname privaterepo not verified:
    certificate: sha256/...
    DN: CN=PRIVATEREPO, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=FR
    subjectAltNames: []

The error is thrown from this method: RealConnection and the implementation of OkHostnameVerifier only reads the subject alternative names (SAN) and my certificate did not have one.

I did not dig into maven with debug itself but I think the difference of behaviour lies in the use of wagon-http and httpclient 4.5. Its HostnameVerifier validate the CN if no SAN name are found..

From the last commit/PR of OkHostnameVerifier square/okhttp#3764, it seems that the CN check was removed in 2018 for deprecation.

Httpclient5 seems to take notice of the deprecation, but keeps the CN (see DefaultHostnameVerifier) check if no SAN are found.

As for a test case, well, given it was a configuration mistake and that I honestly don't know where to begin to create a test case with jetty + ssl + repository provider + repository consumer, I'll skip it.

I would however be willing to provide a test case (and issue) for the systemPath, which I think affect the Language Server:

• the warning is frustrating in our pom because its spams them.
• there is an error when we use a property for system path in the editor

The dependency below will produce a marker 'dependencies.dependency.systemPath' for dummy:dummy:jar must specify an absolute path but is ${dummy.jar} with type = Language Server while the Effective POM tab properly display the dummy.jar:

    <dependency>
      <groupId>dummy</groupId> <artifactId>dummy</artifactId>            
      <version>1.0.0</version> <scope>system</scope> 
       <systemPath>${dummy.jar}</systemPath> 
    </dependency>

It does not occur if the property is defined in the pom file... but it should honour the settings.

Strangely, if I use another property like plg.eclipse-settings.version it resolve the value (but it fails because it is not a valid absolute path) which means it "sees" some of properties.

[laeubi]

The language server is this one for maven: https://github.com/eclipse/lemminx-maven/ but are you sure it is really a (system)property, that means you have started eclipse with specify that as -Ddummy.jar=/path/to/jar? If yes, I can imagine that system properties of the eclipse-ide are not passed to the language server (not sure if you pass additional ones manually)

[glhez]

You got me wrong:

• the property is defined in maven settings (~/.m2/settings.xml)
• the Effective POM tab shows the property, so it should be available
• when the property is used, the Language Server is unable to resolve it
• when I use another property in the same settings/profile, the Language Server is resolving it fine

But yes, it is a Lemminx problem.