What This Error Means
The JVM running Maven cannot validate the HTTPS certificate chain of the repository, so Maven refuses the connection.
How to Fix It
Determine whether you are connecting directly to the repository or through a corporate TLS proxy or VPN.
Run mvn -v first so you know exactly which Java runtime and trust store you are fixing.
If the repository is internal or TLS is intercepted, obtain the correct root CA certificate (and any required intermediates).
Create a dedicated trust store and import the CA:keytool -importcert -alias repo-ca -file /path/to/ca.pem -keystore /path/to/truststore.jks
Tell Maven and Java to use that trust store (for example via MAVEN_OPTS or .mvn/jvm.config): -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=<password>.
Prefer that dedicated trust store over modifying the global JDK trust store unless you need a machine-wide fix.
If you control the repository, fix the server TLS configuration to serve a complete, valid chain.
Why It Happens
The repository is using a certificate signed by a CA that the JVM does not trust.
A corporate proxy is intercepting HTTPS and presenting a certificate signed by an internal CA.
The server is serving an incomplete chain (missing intermediate CA certificates).
System time is incorrect, which can cause certificate validity checks to fail.
How to Verify
Re-run the original Maven goal and confirm the PKIX error no longer appears.
Confirm Maven can download at least one artifact from the affected repository.
Manual TLS validation checklist
Confirm the repository URL Maven is using by copying it from the error output or mvn -X logs.
Confirm which Java runtime Maven is using:mvn -v (then compare that runtime with the one used in CI or your container base image).
Inspect the certificate chain served by the host:openssl s_client -showcerts -connect <host>:443 -servername <host> </dev/null
If you already have the correct root CA certificate, verify whether it is trusted by the JVM trust store you actually plan to use.
Examples
[ERROR] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failedHow Maven verifies TLS certificates
Maven uses the JVM's TLS implementation to connect to HTTPS repositories.
The JVM must trust the certificate chain presented by the repository (leaf + intermediates up to a trusted root CA).
Corporate TLS interception proxies commonly cause this error if the corporate root CA is not trusted by the JVM.
Prevention Tips
Standardize Java runtimes and trust store configuration across developer machines, CI runners, and container images.
Avoid TLS interception for build traffic when possible, otherwise, distribute the corporate root CA as part of build tooling.
Monitor certificate expiry and chain completeness for internal repositories.
Where This Can Be Triggered
github.com/apache/maven/blob/maven-3.9.6/maven-core/src/main/java/org/apache/maven/project/DefaultProjectDependenciesResolver.java
Maven surfaces resolver transfer failures by rethrowing a DependencyResolutionException that includes the underlying SSL/PKIX failure message (e.getMessage()). - GitHub
String msg = "Could not resolve dependencies for project " + project.getId() + ": " + e.getMessage();
DependencyResolutionException dex = new DependencyResolutionException(msg, e);
dex.setResult(e.getResult());
throw dex;