.
Problem
When configuring a Nexus Repository instance, you may encounter the following error in the nexus.log file:
Certificates do not conform to algorithm constraints
This issue arises when the Nexus Repository attempts to connect to certain remote services, such as:
-
Azure Database for PostgreSQL - Flexible Server
Note: This article applies only if the “Certificates do not conform to algorithm constraints” issue is caused by the two remote services mentioned above. If you encounter the same error with a different remote service, or have any concerns, please create a Support ticket for further assistance.
Symptoms
1. Issue with Azure Database for PostgreSQL - Flexible Server
When attempting to connect to a PostgreSQL database using Azure Database for PostgreSQL - Flexible Server service, the Nexus Repository instance fails to start. The following (or similar) error appears in nexus.log:
2025-01-24 15:39:01,671+0000 ERROR [FelixStartLevel] *SYSTEM org.sonatype.nexus.datastore.mybatis.MyBatisDataStore - Failed transition: NEW -> STARTED
com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: SSL error: Certificates do not conform to algorithm constraints
at com.zaxxer.hikari.pool.HikariPool.throwPoolInitializationException(HikariPool.java:596)
at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:582)
at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:115)
at com.zaxxer.hikari.HikariDataSource.<init>(HikariDataSource.java:81)
....
Caused by: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraint
...
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
2. Issue with https://cdn.redhat.com/
When a proxy repository attempts to access https://cdn.redhat.com/, it fails to function correctly, and the following logs appear in nexus.log:
2025-01-30 16:41:40,012+0000 INFO [qtp1660213457-103] admin org.sonatype.nexus.ssl.CertificateRetriever - Retrieving certificate from https://cdn.redhat.com:443
2025-01-30 16:41:40,066+0000 WARN [qtp1660213457-103] admin org.sonatype.nexus.ssl.CertificateRetriever - Certificates do not conform to algorithm constraints
2025-01-30 16:41:40,069+0000 ERROR [qtp1660213457-103] admin org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: ssl_Certificate.retrieveFromHost, java-method: com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost
java.io.IOException: Could not retrieve an SSL certificate from 'cdn.redhat.com:443'
at com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost(CertificateComponent.java:94)
Possible causes
This issue occurs because some remote services, such as Azure Database for PostgreSQL - Flexible Server and https://cdn.redhat.com/, still use the outdated SHA1withRSA algorithm in their certificate chains. However, the host machine or base Docker image used by the Nexus Repository does not support SHA1withRSA, leading to this error.
This is not a Nexus Repository issue. Ideally, remote service providers should replace SHA1withRSA with stronger algorithms.
For example, running the command
openssl s_client -connect cdn.redhat.com:443 -servername cdn.redhat.com -showcerts
reveals the use of RSA-SHA1:
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA1
2 s:C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=Entitlement Master CA, emailAddress=ca-support@redhat.com
i:C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=Entitlement Master CA, emailAddress=ca-support@redhat.com
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA1
v:NotBefore: Mar 17 19:00:44 2010 GMT; NotAfter: Mar 12 19:00:44 2030 GMT
SHA-1 is deprecated in RHEL9, and starting from Nexus Repository 3.76.0, the default Docker images (except -alpine variants, e.g., 3.76.0-alpine or 3.76.0-java17-alpine) use redhat/ubi9-minimal as the base image. This means:
-
If your Nexus Repository instance runs directly on RHEL 9
-
If you use a Nexus Repository Docker image version 3.76.0 or later (based on UBI9)
You may encounter this issue.
Solution
1. Identify the remote service causing the issue
1.1 If caused by Azure Database for PostgreSQL - Flexible Server
If your PostgreSQL database was created long ago using Azure Database for PostgreSQL - Flexible Server, it may still use an old SHA1-based certificate.
-
Microsoft recommends updating the certificate. Refer to the comments in the link for details.
-
If you need further assistance with certificate updates, contact Microsoft Azure Support.
-
If updating the certificate isn't possible, you can continue with the workarounds below.
2. Workarounds for Docker container or Kubernetes deployment
Use one of the following options:
-
Use a Sonatype Nexus Repository Docker image that includes
-alpinein its tag(e.g., 3.76.0-alpine or 3.76.0-java17-alpine) - Build your image by modifying the Dockerfile to override the default crypto policy before starting the Sonatype Nexus Repository.
RUN update-crypto-policies --set DEFAULT:SHA1
3. Workarounds for Nexus Repository hosted directly on a RedHat Server
3.1 Check the Current Crypto Policy
Run:
update-crypto-policies --show
Expected outputs:
• DEFAULT – SHA1WithRSA might still be allowed, but with restrictions.
• FIPS – Strict policy; SHA1WithRSA is blocked.
• FUTURE – More restrictive than DEFAULT; SHA1WithRSA is likely blocked.
3.2 Enable SHA-1 (Not Recommended)
Since SHA-1 is deprecated in RHEL9, enabling it is discouraged. If necessary, run:
update-crypto-policies --set DEFAULT:SHA1
3.3 Modify Java security settings (if applicable)
Check if Java has disabled SHA-1 algorithms:
grep "jdk.tls.disabledAlgorithms" $JAVA_HOME/conf/security/java.security
grep "jdk.tls.disabledAlgorithms" /etc/crypto-policies/back-ends/java.config
Remove SHA1withRSA(the name may be different) from the above configurations.
If the above solutions do not resolve your issue, please open a support ticket with Sonatype for further assistance.