Skip to main content

Nexus IQ Server Troubleshooting SSL Problems Accessing Sonatype Hosted Services

Rich Seddon
Updated

Troubleshooting SSL Problems Accessing Sonatype Hosted Services

You may notice errors in the Sonatype IQ Server log file related to failed SSL connections to clm.sonatype.com case, such as:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

It is common for organizational firewalls and proxy servers to decrypt and then re-encrypt SSL communication to external hosts. In these cases your Nexus IQ Server must be configured to trust the firewall SSL certificates or this external communication will fail.

To configure Sonatype IQ Server to trust the firewall certificate:

  1. Get the http proxy's/firewall SSL certificate from your IT department in p12 encoded format or get it yourself using our guide.
  2. Import the certificate into a truststore file which Nexus IQ Server will use. We suggest copying the default java-home/lib/security/cacerts file to the work directory of Nexus IQ Server and import the certificate into the copy.

  3. Edit the command that launches Nexus IQ Server to include reference to the truststore file and password.

    -Djavax.net.ssl.trustStore=/path/to/truststore/file -Djavax.net.ssl.trustStorePassword=changeit
  4. Start the Nexus IQ Server and verify the error messages no longer appear in the server log file.

What to do if the problem remains?

Double-check for typos in how Nexus IQ Server is launched. Pass -Djavax.net.debug=ssl to the Nexus IQ Server launch command in order to debug SSL certificate validation at a low level.

Still have a problem?

Use an external tool to verify the SSL connection from the same server host.

Download the attached urlpoke.jar file from this article:

Isolate and Diagnose Network Issues with urlpoke.jar

Then using the same java you are using to run the Nexus IQ Server, issue this command:

java -Dhttps.proxyHost=<enter_the_proxy_host_clm_is_configured_with> -Dhttps.proxyPort=<enter_the_proxy_port_clm_is_configured_with> -jar urlpoke.jar -ssl https://clm.sonatype.com &> ssl-debug.log

Examine the log file, checking the Issuer field in particular of the remote certificate.

Related articles