Nexus Repository Remote Health Check Analysis fails with SSL errors

Problem

You are using Nexus OSS or Nexus Professional and have tried to Analyze a repository using Remote Healthcheck (RHC). This doesn't seem to work and you notice an error in the Nexus log file similar to:

2014-03-03 10:57:08 WARN [pxpool-1-thread-8] admin org.sonatype.scheduling.DefaultScheduledTask - Exception in call method of scheduled task Health Check: central 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

Have you configured your Nexus to use a proxy server or is Nexus behind a corporate firewall?

Most commonly this error happens when a proxy server rewrites the https://rhc-pro.sonatype.com (Nexus Pro) or https://rhc.sonatype.com (Nexus OSS) certificate with a custom one that Nexus does not trust.

Solution

You can use Nexus built-in truststore to trust the remote certificate.

The following soliution applies to the default central proxy repository shipped with Nexus. However, these steps can be performed against any repository exhibiting this problem.

  1. Open Administration -> Capabilities
  2. Click New. Select SSL: Health Check. Click Add. Click Save.
  3. Open Administration -> SSL Certificates Click Add... -> Load From Server. Enter https://rhc-pro.sonatype.com if using Nexus Pro, enter https://rhc.sonatype.com if using Nexus OSS. Then click Load Certificate, then Add Certificate after verifying the certificate displayed.
  4. Open Administration -> Scheduled Tasks. Find the Health Check: central scheduled task. Uncheck the Enabled checkbox and Save. Recheck the Enabled checkbox and Save. Click the Run button when the task is enabled and rerun the task.
Have more questions? Submit a request

3 Comments

  • 0
    Avatar
    Roy Lyons

    I would really like to script this so I can run it a couple of times a day since our environment employs an ssl interception.

    Is the way to do so by using the openssl command to obtain the PEM and then posting to /service/siesta/ssl/truststore with a payload of 

    {

    "value" : "..."

    }

    where "..." is the certificate content obtained from the openssl command?

    Is there any way to simply trust our root CA in the nexus built-in truststore so that any certificates that are signed by our CA will be automatically accepted?

  • 0
    Avatar
    Peter Lynch

    Hi Roy,

    First get the PEMs of the remote server, using your proxy server settings. This command prints the entire certificate chain. Replace localhost and 8888 with your proxy server host and port names.

    keytool -J-Dhttps.proxyHost=localhost -J-Dhttps.proxyPort=8888 -printcert -rfc -sslserver rhc.sonatype.com

    The output will print a PEM for each certificate in the chain - usually you want the last one, as this will likely be the proxy server CA certificate PEM. You can verify the last one is your proxy server by loading it in the Nexus UI and previewing it before adding it. Alternately examine the entire chain in detail by leaving off the -rfc option to keytool.

    BTW: You are describing the correct way to POST the PEM into the trust store.

     

  • 0
    Avatar
    Peter Lynch

    We are closing this article for comments.

    If you have a support license, please contact us by submitting a support ticket.

    If you do not have a support license, please use our Nexus Users List or our other free support resources.

Article is closed for comments.
Powered by Zendesk