leiningen：如何关闭ssl验证？

Question

I'm a first-time leiningen user on Windows. When I run lein run I get the following error:

C:\Users\me\clojure-app>lein run
Could not transfer artifact org.clojure:clojure:pom:1.7.0 from/to central (https://repo1.maven.org/maven2/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Could not transfer artifact org.clojure:tools.nrepl:pom:0.2.10 from/to central (https://repo1.maven.org/maven2/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Could not transfer artifact clojure-complete:clojure-complete:pom:0.2.3 from/to central (https://repo1.maven.org/maven2/): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This could be due to a typo in :dependencies or network issues.
If you are behind a proxy, try setting the 'http_proxy' environment variable.

My http_proxy and https_proxy environment variables are indeed set properly.

I'm behind a corporate firewall that re-signs web traffic with its own SSL certificates, which I suspected could be the root of my issues. However, I set my HTTP_CLIENT environment variable to:

curl --insecure -f -L -o

...to avoid SSL verification (as suggested by this note in the installation help ) but that did not change the error message.

So, my root question, I suppose is: what steps must a user take to get lein run to successfully bring down dependencies on a Windows machine that is behind a corporate firewall that re-signs SSL traffic? :o)

Answer 1

Here are some options in inverse order of crazyness (least crazy first)

• Add you companies proxy to your trust store, and don't do anything special in Leiningen that you will have to remember to do again the next time you change projects or computers. You may also need to add it to the Java JVM's certificate store in addition to the systems (this is very likely your problem)
• Add you companies proxy certificate to the project's project.clj's :certificate section This way if the certificate needs to be changed than only one person needs to change it and the whole team will get the benefit.
• Many companies have an internal caching maven proxy such as Nexus that will automatically fetch and cache dependencies and then make them quickly available to people inside the network. Find out if you have one of these by asking around or looking in .pom file on Java projects for the config.
• Go home, or to a local coffee shop, download the dependencies, and then come back to the office. A walk and some fresh air is always good after dealing with TLS certs anyway.
• Download the file manually, with your browser and put them in the .m2 directory yourself.

I'm really trying to not be snooty, by omitting an answer to your actual question. I do realize that there is not an option to disable security on this list. That's on purpose because one of there options will surely work and will make your life much better for knowing how to use these. If it still comes across as pretentious then please accept my most sincere apology along with the answer.

Answer 2

To elaborate on Arthur's answer and save a trip to google for the command: To add the certificate to the JRE's truststore, use this keytool command:

keytool -import -trustcacerts -file CompanyMitmProxyCertificate.crt -alias ZScaler -keystore cacerts

Where: "CompanyMitmProxyCertificate.crt" is the certificate for your company's man-in-the-middle-attack cert and 'cacerts' is the keystore for your jre located under "\\lib\\security". The default password for the keystore is 'changeit'.