Problem
Visit my.sonatype.com for documentation on Nexus Repository version 2.
You are using Nexus Repository 2 OSS or Nexus Repository 2 Professional and have tried to Analyze a repository using Remote Healthcheck (RHC). This doesn't seem to work and you notice an error in the Nexus Repository log file similar to:
2014-03-03 10:57:08 WARN [pxpool-1-thread-8] admin org.sonatype.scheduling.DefaultScheduledTask - Exception in call method of scheduled task Health Check: central javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause
Have you configured your Nexus Repository 2 to use a proxy server or is Nexus Repository behind a corporate firewall?
Most commonly this error happens when a proxy server rewrites the https://rhc-pro.sonatype.com (Nexus Repository 2 Pro) or https://rhc.sonatype.com (Nexus Repository 2 OSS) a certificate with a custom one that Nexus Repository does not trust.
Solution
You can use Nexus Repository's built-in truststore to trust the remote certificate.
The following solution applies to the default central proxy repository shipped with Nexus Repository. However, these steps can be performed against any repository exhibiting this problem.
- Open Administration -> Capabilities
- Click New. Select SSL: Health Check. Click Add. Click Save.
- Open Administration -> SSL Certificates Click Add... -> Load From Server. Enter
https://rhc-pro.sonatype.comif using Nexus Repository 2 Pro, enterhttps://rhc.sonatype.comif using Nexus OSS. Then click Load Certificate, then Add Certificate after verifying the certificate displayed. - Open Administration -> Scheduled Tasks. Find the Health Check: central scheduled task. Uncheck the Enabled checkbox and Save. Recheck the Enabled checkbox and Save. Click the Run button when the task is enabled and rerun the task.
3 Comments
I would really like to script this so I can run it a couple of times a day since our environment employs an ssl interception.
Is the way to do so by using the openssl command to obtain the PEM and then posting to /service/siesta/ssl/truststore with a payload of
{
"value" : "..."
}
where "..." is the certificate content obtained from the openssl command?
Is there any way to simply trust our root CA in the nexus built-in truststore so that any certificates that are signed by our CA will be automatically accepted?
Hi Roy,
First get the PEMs of the remote server, using your proxy server settings. This command prints the entire certificate chain. Replace localhost and 8888 with your proxy server host and port names.
keytool -J-Dhttps.proxyHost=localhost -J-Dhttps.proxyPort=8888 -printcert -rfc -sslserver rhc.sonatype.com
The output will print a PEM for each certificate in the chain - usually you want the last one, as this will likely be the proxy server CA certificate PEM. You can verify the last one is your proxy server by loading it in the Nexus UI and previewing it before adding it. Alternately examine the entire chain in detail by leaving off the -rfc option to keytool.
BTW: You are describing the correct way to POST the PEM into the trust store.
We are closing this article for comments.
If you have a support license, please contact us by submitting a support ticket.
If you do not have a support license, please use our Nexus Users List or our other free support resources.