Hi everyone,
I’m trying to add RHEL9 repos to Nexus. However, after following the instruction in the Proxying RHEL Yum Repositories I’m getting the SSL error when I try validate the certificate.
Is it even possible to add RHEL9 repos to the Community version of Nexus as I can’t find any clear guide anywhere?
Ok turns out that Sonatype doesn’t bother updating their documentation on the main page. I’ve followed their documentation and did a thorough research and it turns out that it only works when you change the Crypto Policy settings on the server to DEFAULT:SHA1.
Hi Adrian,
Apologies for the delay in response; I was only just made aware of this post.
In RHEL9, the SHA-1 digest algorithm is deprecated. Under the default policy, use of SHA-1 in certificate signatures or package signature verification is disabled (or disallowed). If a remote repository or certificate chain uses SHA-1 signatures (e.g. older or third-party content), RHEL 9 will reject it unless you relax the cryptographic policy.
RHEL provides a mechanism to “enable SHA-1 support” (as a subpolicy) under the default policy. Specifically the DEFAULT:SHA1 configuration that you discovered allows SHA-1 usage for backward compatibility. However, this isn’t really recommended since it weakens your system’s cryptographic posture. Instead, we’d recommend contacting Red Hat for updated root certificates. The ideal solution is to obtain and install a new version of the Entitlement Master CA root certificate that is signed with a strong, enabled algorithm. This would typically involve updating your system’s trust store.
If Red Hat does not yet provide stronger certificates, you may need to discuss with your IT or security team about the risks and possible alternatives, but the official guidance is to avoid enabling SHA-1 unless absolutely necessary and only as a temporary measure while working toward a more secure solution
I’m hoping you did see our Support article about this. That said, you are correct that we should pull this info into our help docs, and I will raise a Jira issue for my team to do this! Thanks for pointing this out!
As an aside - if you ever find yourself with a similar challenge and are not getting responses here, make sure to use the “Ask Kapa” function here in the Community or in our Help site. That is our RAG AI tool and it ONLY uses our documentation (Support, Community, Help) when it generates answers. It can be really useful!
Hi Lisa,
Thank you very much for getting back to me.
I retreived root certificate from a RHEL VM (Our nexus server runs on Alma) however, it isn’t described anywhere how I can add it to authenticate the connection to cdn.redhat.com.
Using curl -v --proxy <proxy_ip> https://cdn.redhat.com --cacert ./redhat-uep.pem gives me the desired output eventhough cdn.redhat.com contains SHA1.
Kind regards
Hi again Adrian,
It looks like the steps you’ll need are covered in our Configuring SSL guide.
You’ll need to import the Red Hat root certificate into the Java trust store used by Nexus Repository, then restart the service so it uses the updated certificate.
Your curl command works because it explicitly references the PEM file with --cacert, bypassing the Java trust store. Importing that same certificate into Nexus’s trust store achieves the same result for the application itself.
If your environment runs on AlmaLinux (which is binary-compatible with RHEL), the same process applies—just be sure the Red Hat CA is added to the JVM trust store Nexus uses.
Note: I double-checked these details with AI assistance to confirm the right approach for RHEL 9 and AlmaLinux environments.
Hi Lisa,
So, finally I found a solution to this. Feel free to add it to the documentation.
The redhat-uep.pem needs to be added to /etc/pki/ca-trust/source/anchors/ and you’d need to run update-ca-trust extract.
Then when running sudo keytool -list -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit | grep redhat you’ll see the redhat cert added. Now, clicking on the View Certificate in the GUI will still give a 404 error however, when you sync repos it should work.
Thanks, Adrian! I’ve opened a Jira issue with my team to update docs with this new information as well. Thanks again!