.
Problem
For a limited set of users, upgrading to Sonatype Nexus Repository 3.73.0 may fail due to javax.crypto.IllegalBlockSizeException: last block incomplete in decryption during the process of secret encryption introduced in this version.
Known secrets that may fail encryption are those stored for S3 blobstore authentication and passwords configured to connect to Sonatype IQ Server.
The issue has affected users of the Nexus OSS and Pro. The public source code of Sonatype Repository OSS has captured reports at https://github.com/sonatype/nexus-public/issues/487.
Symptoms
The application will not start.
You may see one of the following types of errors in the logs when starting version 3.73.0:
SecretMigrationException: unable to migrate secrets for blobstore
2024-10-11 15:58:26,282+0000 ERROR [quartz-9-thread-5] *SYSTEM org.sonatype.nexus.internal.security.secrets.task.SecretsMigrationTask - Failed to run task 'Migrate existing secrets into a single source (secrets table).'
org.sonatype.nexus.security.secrets.SecretMigrationException: unable to migrate secrets for blobstore: xxxxxxxx
at org.sonatype.nexus.repository.internal.blobstore.secrets.migration.BlobStoreConfigSecretsMigrator.migrate(BlobStoreConfigSecretsMigrator.java:69)
at org.sonatype.nexus.internal.security.secrets.task.SecretsMigrationTask.execute(SecretsMigrationTask.java:51)
at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:105)
at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:143)
at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:106)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.sonatype.nexus.quartz.internal.QuartzThreadPool.lambda$0(QuartzThreadPool.java:145)
at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40)
at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120)
at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.sonatype.nexus.crypto.internal.error.CipherException: last block incomplete in decryption
at org.sonatype.nexus.crypto.internal.LegacyCipherFactoryImpl$PbeCipherImpl.transform(LegacyCipherFactoryImpl.java:114)
at org.sonatype.nexus.crypto.internal.LegacyCipherFactoryImpl$PbeCipherImpl.decrypt(LegacyCipherFactoryImpl.java:103)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl.decryptLegacy(SecretsServiceImpl.java:306)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl.doDecrypt(SecretsServiceImpl.java:229)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl.access$0(SecretsServiceImpl.java:227)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl$SecretImpl.decrypt(SecretsServiceImpl.java:364)
at org.sonatype.nexus.repository.internal.blobstore.secrets.migration.BlobStoreConfigSecretsMigrator.maybeMigrateSecret(BlobStoreConfigSecretsMigrator.java:85)
at org.sonatype.nexus.repository.internal.blobstore.secrets.migration.BlobStoreConfigSecretsMigrator.migrate(BlobStoreConfigSecretsMigrator.java:65)
... 14 common frames omitted
Caused by: javax.crypto.IllegalBlockSizeException: last block incomplete in decryption
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2263)
at org.sonatype.nexus.crypto.internal.LegacyCipherFactoryImpl$PbeCipherImpl.transform(LegacyCipherFactoryImpl.java:110)
... 21 common frames omitted
2024-10-11 15:58:26,283+0000 INFO [quartz-9-thread-5] *SYSTEM org.sonatype.nexus.internal.security.secrets.task.SecretsMigrationTask - Task complete
RuntimeException: Could not decrypt value of password due to last block incomplete in decryption
2024-10-16 16:46:16,759+0100 ERROR [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusContextListener - Failed to start nexus
java.lang.RuntimeException: Could not decrypt value of 'password' due to last block incomplete in decryption
at org.sonatype.nexus.internal.capability.DefaultCapabilityRegistry.decryptValuesIfNeeded(DefaultCapabilityRegistry.java:786)
at org.sonatype.nexus.internal.capability.DefaultCapabilityRegistry.load(DefaultCapabilityRegistry.java:487)
at org.sonatype.nexus.internal.capability.CapabilityRegistryBooter.doStart(CapabilityRegistryBooter.java:55)
at org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport.start(StateGuardLifecycleSupport.java:69)
at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
at org.sonatype.nexus.common.stateguard.StateGuard$TransitionImpl.run(StateGuard.java:206)
at org.sonatype.nexus.common.stateguard.TransitionsInterceptor.invoke(TransitionsInterceptor.java:57)
at org.sonatype.nexus.extender.NexusLifecycleManager.startComponent(NexusLifecycleManager.java:210)
at org.sonatype.nexus.extender.NexusLifecycleManager.to(NexusLifecycleManager.java:121)
at org.sonatype.nexus.extender.NexusContextListener.moveToPhase(NexusContextListener.java:334)
at org.sonatype.nexus.extender.NexusContextListener.frameworkEvent(NexusContextListener.java:231)
at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1597)
at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.sonatype.nexus.crypto.internal.error.CipherException: last block incomplete in decryption
at org.sonatype.nexus.crypto.internal.LegacyCipherFactoryImpl$PbeCipherImpl.transform(LegacyCipherFactoryImpl.java:114)
at org.sonatype.nexus.crypto.internal.LegacyCipherFactoryImpl$PbeCipherImpl.decrypt(LegacyCipherFactoryImpl.java:103)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl.decryptLegacy(SecretsServiceImpl.java:306)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl.doDecrypt(SecretsServiceImpl.java:229)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl.access$0(SecretsServiceImpl.java:227)
at org.sonatype.nexus.crypto.secrets.internal.SecretsServiceImpl$SecretImpl.decrypt(SecretsServiceImpl.java:364)
at org.sonatype.nexus.internal.capability.DefaultCapabilityRegistry.decryptValuesIfNeeded(DefaultCapabilityRegistry.java:783)
… 13 common frames omitted
Caused by: javax.crypto.IllegalBlockSizeException: last block incomplete in decryption
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2263)
at org.sonatype.nexus.crypto.internal.LegacyCipherFactoryImpl$PbeCipherImpl.transform(LegacyCipherFactoryImpl.java:110)
… 19 common frames omitted
Both errors point to decryption issues related to secrets migration or capability decryption, which prevent the instance from restarting correctly.
Solution
There are two recommended solutions to resolve this issue:
Option 1: Upgrade to 3.74.0 or higher instead (Highly Recommended)
The issue has been addressed in Version 3.74.0 and is mentioned in the release notes as NEXUS-44569.
Upgrading to this version or newer will successfully complete a failed upgrade. No restoring of the database that was backed up prior to upgrade was needed. Just upgrade to 3.74.0 instead.
We strongly recommend upgrading to 3.74.0+ to solve the issue.
Option 2: Restore Database from Backup and start previous version
If upgrading to a version greater than 3.73.0 is not an immediate option, you can
- Restore the database from a backup taken immediately prior to the failed upgrade
- Start the version of Nexus repository you were running before the upgrade attempt.