Maven snapshot dependency

Question

There are two projects Pm and Pd. They are separate Jenkins projects that can be built separately. Pm depends on Pd and it is a snapshot version dependency.

Recently an issue occurs during building Pm. It complains of not being able to download Pd jar from the remote repository with this error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException

Though the error suggests a possible issue with JVM certificate, it looks like not as other jars from the same remote repository can be downloaded successfully.

If manually builds Pd first (local repository has a Pd snapshot jar and remote repository has the deployed timestamped Pd jar), then builds Pm, it works OK as it does not try to download Pd jar from remote repository.
But a few days later, without any change of Pd, when Pm builds (this time Pd is not manually built), it invokes a packaging of Pd dynamically which I didn't figure out why. In this case, local repository has the Pd snapshot jar from last time, and the remote repository has a newly deployed timestamp Pd jar. It then tries to download this new timestamp Pd jar from remote repository and cannot download the jar with error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException

Please help with the following questions (not sure if it matters: the maven version used is 3.6.3):

1. Is maven supposed to build the dependency on the fly or just use the latest one in the repositories? For example, Pm depends on Pd. Will Pm just uses the latest version of Pd in repository (and if Pd jar is not available, it complains cannot find Pd), or will Pm builds Pd each time when Pm builds? What decides which behavior? I observed the 2nd case (each time Pm builds, it packages a new Pd jar in remote repository without installing Pd jar to local repository) and I didn't figure out why----what makes it generate a new Pd jar (only the timestamped Pd jar deployed to remote repository without a new snapshot Pd jar in local repository) and do not use the latest Pd jar?

2. Why cannot the newly generated Pd jar be downloaded with an "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException"? Any clue what could be wrong? As mentioned earlier, all other jars can be downloaded successfully from the same remote repository except this newly generated Pd jar, so it seems not a JVM certificate issue in building machine.

Answer 1

The error indicates problems with SSL certificates. I guess the remote repository is accessible via https, and it may have changed it's certificate so the client does no longer trust the server and refuses to communicate. It need not even be the remote repository server. Your organization setting up a proxy server that mangles SSL connections is sufficient for this error to occur.

You describe the problem does not exist if the projects get built locally - this is when the repository server does not have to be contacted which supports above theory.

Check a tutorial like https://resources.weboffice.vertigis.com/Documentation/WebOffice102/EN/howto_install_certs_to_truststore.htm (there are many out there) how to add your repository's public certificate to your maven's truststore.

But to answer your questions:

1. Maven is not supposed to automatically build the dependencies unless they are subprojects of the current project (this refers to multi module projects ). It will try to access the already compiled dependencies from the repository, preferring the local one (which also caches) above the remote.

2. Did you verify Maven still downloads other dependencies? After all they get cached, so unless you clear the cache or modify your dependencies (name/version) there is no need to do that again - and you mention this recently occurred. To clean the cache check out https://stackoverflow.com/a/22671261/4222206