maven“无法找到所请求目标的有效证书路径” - letsencrypt ssl证书

Question

I recently switched to letsencrypt certificates for my maven repo (Artifactory behind Apache proxy). Repo access via browser works fine, showing no problems with the certificate (screenshot below).

It also works if I import the certificate manually into the java keystore .

But according to this SO question, Java should accept letsencrypt certificates starting with 8u101 .

I am always getting this exception:

sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target -> [Help 1]

C:\myproject>mvn -version
Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T17:41:47+01:00)
Maven home: C:\maven
Java version: 1.8.0_112, vendor: Oracle Corporation
Java home: C:\jdk1.8_win64\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "dos"

Answer 1

Finally figured it out, 3 months later...

The apache server in front of the maven artifactory repository was not configured to provide the intermediate certificate in the chain.

I downloaded the intermediate certificate - Let's Encrypt Authority X3 (IdenTrust cross-signed) - and configured apache to serve it, too.

Actually, the domain.crt file contains both the domain and the intermediate certificate, and for all of my test browsers that was always good enough. But the eclipse/maven setup on that one machine could not handle it.

I only started to look into the apache config after an SSL Labs check told me that the certificate chain was incomplete (even though no browser seemed to care).

Before:

  SSLEngine On
  SSLCertificateFile "path/to/domain.crt"
  SSLCertificateKeyFile "path/to/domain.key"

After:

  SSLEngine On
  SSLCertificateFile "path/to/domain.crt"
  SSLCertificateKeyFile "path/to/domain.key"
  SSLCertificateChainFile "path/to/letsencrypt-authority-x3-identrust.pem"