Fix https repository blocking by PKIX path building failed

Visit my.sonatype.com for documentation on Nexus Repository version 2.

Symptoms

The Status of one or more of your repositories that have a remote URL starting with https is:

In service - Remote Automatically Blocked and Unavailable.

The repository was automatically blocked by Nexus Repository 2 because the error indicates:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Summary

This means the trust store that Nexus Repository 2 is using cannot validate the SSL certificates of those remote http URLs.

Normally this does not happen, but examples of when it can happen are:

  • an http proxy server is rewriting the remote certificates to new ones which are not trusted by Nexus Repository 2

    Please review the specific article for a solution to this scenario.

  • Nexus Repository 2 is using an outdated JRE version with old root certificates
  • Nexus Repository 2 is configured with system properties which override the default truststore with an empty one
  • the remote URL of the proxy repository is serving a self-signed certificate

Solution

First, make sure you are using the latest JDK version supported so that your root certificates are up to date.

You can explicitly examine and trust the remote certificate by

  1. Go to Views/Repositories -> Repositories. Select the repository with the problem.
  2. Selecting the SSL configuration tab of the repository. The SSL tab shows the remote certificate. Examine it closely. If you want to trust the cert, check "Use Nexus SSL trust store" and the "Add to Trust Store" button.
Have more questions? Submit a request

0 Comments

Article is closed for comments.