Adding trusted certs
I recently upgraded from 2020.1.x to 2020.2.4.
I'm having trouble with the Maven integration. Specifically, when I enable verbose SSL in idea64.exe.vmotions, I'm getting "pkix path building failed" in idea.log when trying to download dependencies from our internal Artifactory. I know what this error means and have added both the root and intermediate CAs in the "server certificates" window and can see the changes reflected in AppData\Roaming\JetBrains\IdeaIC2020.2\ssl\cacerts. However this doesn't solve the problem. According to verbose SSL output:
trustStore is: C:\Program Files (x86)\JetBrains\IntelliJ IDEA Community Edition 2020.2.4\jbr\lib\security\cacerts
Adding my company's internal CA to the server certificates configuration did eliminate an error at startup regarding contacting plugins.jetbrains.com (we have a proxy that substitutes our own certs for the "real" certs from external sites) but doesn't help the Maven situation.
I cannot update the JBR cacerts because I don't have admin rights.
Running Maven on the command works fine because it uses the Oracle JDK that I have installed, which has been updated with my company's CAs.
I've used IntelliJ for a million years and have not had this much trouble with certs before. Perhaps something has changed in 2020.4? The fact that adding the certs to the "server certificates" config didn't work seems like a bug. If not, and the only solution is to update the JBR cacerts, I will lean harder on my company's support team to do that.
thanks
Please sign in to leave a comment.
Please note that IntelliJ IDEA and Maven can be configured to use completely different runtimes/JDK.
IntelliJ IDEA runs on the bundled JetBrains Runtime. Maven uses the JDK you configure in the project settings: https://i.imgur.com/SbuV0a9.png. So you need to update the certs for this JDK as well.
You don't need to replace the original cacerts files. Instead instruct IntelliJ IDEA to use the keystore from a different location by adding the following in Help | Edit Custom VM Options:
-Djavax.net.ssl.keyStore=/path/to/cacerts
This way you will not need administrator permissions to modify your IntelliJ IDEA installation.
A little more detail. The problem occurs when I do a Maven sync (circular arrow icon) and have to download new dependencies. Here is an example of what I see in the UI:
In idea.log I see the "pkix path building failed" error. Downloading source and documentation for Maven dependencies also fail.
Running a goad like compile from the Maven menu seems to run Maven on the command line, which succeeds.
Please vote for https://youtrack.jetbrains.com/issue/IDEA-173599 and the linked issues.
Thanks Serge, I did try setting the trust store explicitly, but I would rather not have to change it every time the JDK changes (1.8.0_271 vs 1.8.0_281, etc.) I was hoping the "server certificates" config would help but it doesn't.
I also tried using the JAVA_HOME variable in idea64.exe.vmoptions, but that doesn't seem to get resolved.
IntelliJ IDEA certificate settings do not affect Maven or Gradle at the moment.