RepoFlow
Error Knowledge Base MAVEN PKIX_PATH_BUILDING_FAILED

PKIX path building failed

The JVM running Maven cannot validate the HTTPS certificate chain of the repository, so Maven refuses the connection.

Affected versions: All supported Apache Maven versions.

What This Error Means

The JVM running Maven cannot validate the HTTPS certificate chain of the repository, so Maven refuses the connection.

How to Fix It

  1. Determine whether you are connecting directly to the repository or through a corporate TLS proxy/VPN.
  2. If the repository is internal (or TLS is intercepted), obtain the correct root CA certificate (and any required intermediates).
  3. Create a dedicated trust store and import the CA: keytool -importcert -alias repo-ca -file /path/to/ca.pem -keystore /path/to/truststore.jks.
  4. Tell Maven/Java to use that trust store (for example via MAVEN_OPTS): export MAVEN_OPTS='-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=<password>'.
  5. Retry the Maven command. If it works, apply the same trust store configuration to CI runners (environment variables or .mvn/jvm.config).
  6. If you control the repository, fix the server TLS configuration to serve a complete, valid chain.

Why It Happens

  • The repository is using a certificate signed by a CA that the JVM does not trust.
  • A corporate proxy is intercepting HTTPS and presenting a certificate signed by an internal CA.
  • The server is serving an incomplete chain (missing intermediate CA certificates).
  • System time is incorrect, which can cause certificate validity checks to fail.

How to Verify

  1. Re-run the original Maven goal and confirm the PKIX error no longer appears.
  2. Confirm Maven can download at least one artifact from the affected repository.

Manual TLS validation checklist

  1. Confirm the repository URL Maven is using (copy it from the error output).
  2. Inspect the certificate chain served by the host: openssl s_client -showcerts -connect <host>:443 -servername <host> </dev/null.
  3. Confirm which Java runtime Maven is using: mvn -v (then check that Java's trust store is the one you are updating).
  4. If you already have the correct root CA certificate, verify whether it is trusted by your JVM trust store using keytool -list.

Common CLI Output

[ERROR] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed

How Maven verifies TLS certificates

  1. Maven uses the JVM's TLS implementation to connect to HTTPS repositories.
  2. The JVM must trust the certificate chain presented by the repository (leaf + intermediates up to a trusted root CA).
  3. Corporate TLS interception proxies commonly cause this error if the corporate root CA is not trusted by the JVM.

Prevention Tips

  • Standardize Java runtimes and trust store configuration across developer machines and CI.
  • Avoid TLS interception for build traffic when possible, otherwise, distribute the corporate root CA as part of build tooling.
  • Monitor certificate expiry and chain completeness for internal repositories.

Where This Can Be Triggered

github.com/apache/maven/blob/maven-3.9.6/maven-core/src/main/java/org/apache/maven/project/DefaultProjectDependenciesResolver.java

Maven surfaces resolver transfer failures by rethrowing a DependencyResolutionException that includes the underlying SSL/PKIX failure message (e.getMessage()). - GitHub 

String msg = "Could not resolve dependencies for project " + project.getId() + ": " + e.getMessage();
DependencyResolutionException dex = new DependencyResolutionException(msg, e);
dex.setResult(e.getResult());
throw dex;

Need help or found a mistake? Contact RepoFlow support for questions.

Join our mailing list