Сборка проекта Maven при загрузке wget jar с использованием загрузки-maven-plugin не удалась из-за SSLHandshakeException: ValidatorException: сбой построения пути PKIX

Я пытаюсь создать проект NewRelic nrjmx, используя maven. При сборке получаю сообщение об ошибке:

    main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    [WARNING] Could not get content
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException (Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal (SSLSocketImpl.java:1946)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild (PKIXValidator.java:397)
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build (SunCertPathBuilder.java:141)

Для этого я использую download-maven-plugin.


Пытаясь решить проблему, я импортировал сертификат GitHub в mavenRepoKeystore, который также явно указан в параметрах JVM вместе с -Dhttps.protocols=SSLv3,TLSv1,TLSv1. .1,TLSv1.2 .

Все это работает в Windows 10. B/c Я думал, что это может быть проблема Windows. Я также импортировал сертификат GitHub в хранилище Windows, а также использовал mmc.exe.

И последнее, что не менее важно, я добавил параметр JVM -Djavax.net.debug=ssl:handshake:verbose и получил нижеследующее [помещая только наиболее релевантную часть IMHO, и она все еще слишком велика]:

Found trusted certificate:
  Version: V3
  Subject: CN=github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: <string deleted due to space stakeoverflow space limits>
  public exponent: 65537
  Validity: [From: Mon May 04 20:00:00 EDT 2020,
               To: Tue May 10 08:00:00 EDT 2022]
  Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    0557c80b 282683a1 7b0a1144 93296b79]

Certificate Extensions: 10
[1]: ObjectId: Criticality=false
Extension unknown: DER encoded OCTET string =
<string deleted due to space stakeoverflow space limits>

[2]: ObjectId: Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

[3]: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 51 68 FF 90 AF 02 07 75   3C CC D9 65 64 62 A2 12  Qh.....u<..edb..
0010: B8 59 72 3B                                        .Yr;

[4]: ObjectId: Criticality=true
  PathLen: undefined

[5]: ObjectId: Criticality=false
CRLDistributionPoints [
     [URIName: http://crl3.digicert.com/sha2-ha-server-g6.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/sha2-ha-server-g6.crl]

[6]: ObjectId: Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: []
[]  ]

[7]: ObjectId: Criticality=false
ExtendedKeyUsages [

[8]: ObjectId: Criticality=true
KeyUsage [

[9]: ObjectId: Criticality=false
SubjectAlternativeName [
  DNSName: github.com
  DNSName: www.github.com

[10]: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 63 02 D2 5D 02 5F F7 8D   D5 5A 12 9E 76 11 36 96  c..]._...Z..v.6.
0010: 86 2C 8A 48                                        .,.H

  Algorithm: [SHA256withRSA]
  <string deleted due to space stakeoverflow space limits>

main, READ: TLSv1.2 Handshake, length = 333
check handshake state: server_key_exchange[12]
update handshake state: server_key_exchange[12]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 112296508858380326870690677452737829048060531381886774137631438376204697373330
  public y coord: 12801830262323178422868437149828104712667535421417034366099358551680797824620
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
check handshake state: server_hello_done[14]
update handshake state: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 145, 254, 200, 140, 177, 112, 135, 121, 15, 148, 254, 174, 65, 122, 88, 160, 142, 93, 207, 110, 29, 231, 60, 24, 66, 157, 230, 45, 249, 233, 231, 250, 73, 148, 60, 58, 208, 93, 185, 124, 237, 175, 244, 139, 129, 43, 83, 161, 82, 188, 12, 53, 44, 218, 71, 17, 235, 136, 153, 234, 84, 238, 75, 13 }
update handshake state: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 70
PreMaster Secret:
0000: 22 9E BD 05 55 E1 BD 1C   46 C9 63 C3 93 36 EA 2B  "...U...F.c..6.+
0010: 9C 8C A7 BB 71 8E 6F 78   BA 6A 2F 97 7B B4 0A 45  ....q.ox.j/....E
Client Nonce:
0000: 5E BD 82 D0 42 25 5B 4A   CE 91 ED F3 B9 D2 8E 96  ^...B%[J........
0010: 18 5C A2 FC D0 44 9B 80   20 2E F7 42 BB F6 99 9A  .\...D.. ..B....
Server Nonce:
0000: 97 7C A3 1D 5A 66 DA E8   D6 15 6E E7 15 C9 67 2B  ....Zf....n...g+
0010: 88 32 9C 07 6D 93 BB 2E   44 4F 57 4E 47 52 44 01  .2..m...DOWNGRD.
Master Secret:
0000: A9 53 88 20 5E 46 89 B6   8A 59 B6 11 FC 20 EF 27  .S. ^F...Y... .'
0010: A8 28 52 BC 9D 77 56 51   6A 7C E5 44 3C E3 56 40  .(R..wVQj..D<.V@
0020: A9 7A B5 EA E7 16 E4 6A   0D D4 62 BC 32 54 AA AB  .z.....j..b.2T..
... no MAC keys used for this cipher
Client write key:
0000: B0 E9 EA A7 30 CF F4 3B   55 83 85 EB 29 08 B0 4D  ....0..;U...)..M
Server write key:
0000: 92 A8 61 CF CA 14 E3 90   DC 9D B1 27 2B 2D 70 77  ..a........'+-pw
Client write IV:
0000: 3A 05 A7 14                                        :...
Server write IV:
0000: 36 56 D5 86                                        6V..
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 121, 53, 115, 17, 105, 60, 72, 138, 10, 32, 6, 190 }
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
update handshake state: change_cipher_spec
upcoming handshake states: server finished[20]
main, READ: TLSv1.2 Handshake, length = 40
check handshake state: finished[20]
update handshake state: finished[20]
*** Finished
verify_data:  { 203, 226, 74, 104, 167, 159, 8, 209, 0, 221, 10, 209 }
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, WRITE: TLSv1.2 Application Data, length = 230
main, READ: TLSv1.2 Application Data, length = 1394
main, READ: TLSv1.2 Application Data, length = 1394
May 14, 2020 1:41:36 PM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: _octo=GH1.1.1524630517.1589478096; Path=/; Domain=github.com; Expires=Fri, 14 May 2021 17:41:36 GMT; Secure". Invalid 'expires' attribute: Fri, 14 May 2021 17:41:36 GMT
May 14, 2020 1:41:36 PM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 14 May 2021 17:41:36 GMT; HttpOnly; Secure". Invalid 'expires' attribute: Fri, 14 May 2021 17:41:36 GMT
main, READ: TLSv1.2 Application Data, length = 532
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1572635088 bytes = { 253, 132, 157, 102, 61, 55, 115, 13, 207, 212, 137, 21, 117, 149, 228, 18, 254, 181, 156, 120, 235, 17, 138, 234, 79, 114, 171, 126 }
Session ID:  {}
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=github-production-release-asset-2e65be.s3.amazonaws.com]
Extension renegotiation_info, renegotiated_connection: <empty>
main, WRITE: TLSv1.2 Handshake, length = 260
main, READ: TLSv1.2 Handshake, length = 91
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1682120714 bytes = { 220, 181, 160, 130, 53, 2, 124, 163, 112, 111, 54, 245, 190, 27, 92, 33, 151, 31, 160, 137, 254, 83, 67, 43, 251, 89, 161, 97 }
Session ID:  {70, 235, 36, 129, 156, 158, 235, 185, 172, 166, 214, 240, 165, 12, 80, 32, 116, 189, 245, 143, 47, 108, 56, 147, 91, 165, 181, 159, 36, 212, 150, 94}
Compression Method: 0
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed]
Extension renegotiation_info, renegotiated_connection: <empty>
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, READ: TLSv1.2 Handshake, length = 2900
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
  Version: V3
  Subject: CN=*.s3.amazonaws.com, O="Amazon.com, Inc.", L=Seattle, ST=Washington, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: <string deleted due to space stakeoverflow space limits>
  public exponent: 65537
  Validity: [From: Fri Nov 08 19:00:00 EST 2019,
               To: Fri Mar 12 07:00:00 EST 2021]
  Issuer: CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    082df68e e9c69315 bebf7207 9b3810fd]

Certificate Extensions: 10
[1]: ObjectId: Criticality=false
Extension unknown: DER encoded OCTET string =
<string deleted due to space stakeoverflow space limits>                                                .

[2]: ObjectId: Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt

[3]: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 12 B2 28 74 68 46 67   E9 70 25 74 1A 00 45 5B  ...(thFg.p%t..E[
0010: 06 7D 5C 44                                        ..\D

[4]: ObjectId: Criticality=true
  PathLen: undefined

[5]: ObjectId: Criticality=false
CRLDistributionPoints [
     [URIName: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl]

[6]: ObjectId: Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: []
[]  ]

[7]: ObjectId: Criticality=false
ExtendedKeyUsages [

[8]: ObjectId: Criticality=true
KeyUsage [

[9]: ObjectId: Criticality=false
SubjectAlternativeName [
  DNSName: *.s3.amazonaws.com
  DNSName: s3.amazonaws.com

[10]: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DD F2 26 00 64 B7 CA F7   5C A6 96 A6 D7 AC CB E1  ..&.d...\.......
0010: 27 15 0C 13                                        '...

  Algorithm: [SHA256withRSA]
<string deleted due to space stakeoverflow space limits>

chain [1] = [
  Version: V3
  Subject: CN=DigiCert Baltimore CA-2 G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: <string deleted due to space stakeoverflow space limits>
  public exponent: 65537
  Validity: [From: Tue Dec 08 07:05:07 EST 2015,
               To: Sat May 10 08:00:00 EDT 2025]
  Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
  SerialNumber: [    0182f809 8ea2e626 b91a3b27 841fb9af]

Certificate Extensions: 7
[1]: ObjectId: Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com

[2]: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GX....T6..:
0010: B5 04 4D F0                                        ..M.

[3]: ObjectId: Criticality=true

[4]: ObjectId: Criticality=false
CRLDistributionPoints [
     [URIName: http://crl3.digicert.com/Omniroot2025.crl]

[5]: ObjectId: Criticality=false
CertificatePolicies [
  [CertificatePolicyId: []
[PolicyQualifierInfo: [
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]

[6]: ObjectId: Criticality=true
KeyUsage [

[7]: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 12 B2 28 74 68 46 67   E9 70 25 74 1A 00 45 5B  ...(thFg.p%t..E[
0010: 06 7D 5C 44                                        ..\D

  Algorithm: [SHA256withRSA]
<string deleted due to space stakeoverflow space limits>

%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[WARNING] Could not get content
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Любая помощь или даже соответствующий намек, подталкивающий меня в правильном направлении, будет очень признателен.

Заранее спасибо и с нетерпением жду ответа от вас.

Кажется, я решаю свою проблему. Прежде всего, я должен отдать должное старому сообщению здесь форуме разработчиков AWS: Доверенный сертификат не найден. , это дало мне подсказку.

Вместо того, чтобы использовать хранилище ключей cacerts из моего дистрибутива Java, я решил создать свое собственное хранилище в папке локального репозитория Maven .m2. Короче говоря, возврат к исходным cacerts и импорт туда всех необходимых сертификатов решил проблему.

Надеюсь, это может помочь кому-то в будущем.

Ваше здоровье! И всем удачного кодирования!

person Valery Tamashevich    schedule 15.05.2020