Moved nexus to new host - unable to docker login to the new host due to certificate issue

kevin.reynolds · September 22, 2023, 1:05pm

Hello
I recently moved my docker based nexus server to a new host (NewHost) since the move I have not been able to docker login to the new environment. The error I have received when attempting to log in is the following

Error response from daemon: Get “https://NewHost:5000/v2/”: tls: failed to verify certificate: x509: certificate is valid for OldHost, not NewHost

To be completely transparent I do not have deep cert/ssl knowledge so this has left me a little stumped as to how to proceed.

The following is the content of my compose file - and to reiterate the entire environment was lifted and moved to the new environment including the persisted volume.

version: “3.7”
services:
s3g-nexus:
image: sonatype/nexus3:latest
hostname: nexus
container_name: nexus
ports:
- “8081:8081”
- “8083:8083”
- “5000:5000”
- “8443:8443”
restart: always
volumes:
- NexusData:/nexus-data
stop_grace_period: 60s
volumes:
NexusData:
external: true

I have scoured the configuration to find any reference to a cert for the OldHost to which I found the keystore.jks as the only reference to the OldHost - however my attempts to manipulate that file have proven fruitless as every time I change it - nexus fails to start indicating the keystore file has meen tampered with

Help - at wits end here

kevin.reynolds · September 22, 2023, 1:15pm

the following log entry is what led me to the keystore.jks file as possibly being the problem

2023-09-22 13:08:46,595+0000 INFO [jetty-main-1] *SYSTEM org.eclipse.jetty.util.ssl.SslContextFactory - x509=X509@18e29ef8(jetty,h=[OldHost],a=[/10.179.1.23],w=[]) for Server@1108db2[provider=null,keyStore=file:///nexus-data/etc/ssl/keystore.jks,trustStore=file:///nexus-data/etc/ssl/keystore.jks]

mpiggott · September 22, 2023, 7:28pm

SSL certificates specify the domain (e.g. www.google.com) for which they are valid.

It sounds like your system is hosted at new.host while your SSL certificate is for old.host. So you’d need to generate a new one, and possibly have it signed (by a cert authority, or your corporations parent cert) then setup Nexus with it.

kevin.reynolds · September 25, 2023, 1:28pm

Thank you for the reply
I have acquired the new certificate for the new host
I have created a new keystore.jks file using the following command

keytool -v -importkeystore -srckeystore MyNewServerCert.pfx -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

I then replaced my existing keystore.jks file with the newly created keystore.jks

I also added the following entries in my nexus.properties file

nexus.ssl.keystore=/nexus-data/etc/ssl/keystore.jks
nexus.ssl.keystore.password=thenewpassword

attempt to restart the container but it fails with the following error message

ERROR [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
java.io.IOException: Keystore was tampered with, or password was incorrect

My assumption was that I could swap the keystore out and all would be fine. but somehow it appears to be holding on to something from the previous keystore file?

Thank you in advance for any assistance on this as I am a bit lost now