Fix https repository blocking by PKIX path building failed

Symptoms

The Status of one or more of your repositories which have a remote URL starting with https is:

In service - Remote Automatically Blocked and Unavailable.

The repository was automatically blocked by Nexus because the error indicates:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Summary

This means the trust store that Nexus is using cannot validate the SSL certificates of those remote http URLs.

Normally this does not happen, but examples of when it can happen are:

  • an http proxy server is rewriting the remote certificates to new ones which are not trusted by Nexus

    Please review the specific article for a solution to this scenario.

  • Nexus is using an outdated JRE version with old root certificates
  • Nexus is configured with system properties which override the default truststore with an empty one
  • the remote URL of the proxy repository is serving a self-signed certificate

Solution

First, make sure you are using the latest JDK version supported so that your root certificates are up to date.

You can explicitly examine and trust the remote certificate by

  1. Go to Views/Repositories -> Repositories. Select the repository with the problem.
  2. Selecting the SSL configuration tab of the repository. The SSL tab shows the remote certificate. Examine it closely. If you want to trust the cert, check "Use Nexus SSL trust store" and the "Add to Trust Store" button.
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk