NxRM 3.39 will not start, complains of tampered keystore

I’ve been running NxRM 3.37 forever and wanted to update to v3.39 tonight, but run into multiple issues.

First, some description on my setup.

NxRM runs in my own custom (Alpine-based) docker image and is serviced with supervisord.
It listens on https:1808 and on https:9820 for the docker registry . The binaries are housed under /opt/nexus3/nexus-$VERSION, the data is under /opt/nexus3/sonatype-work/nexus3/ in a docker volume to ensure data persistency.

I’ve modified /opt/nexus3/etc/jetty/jetty-https.xml to replace the value “password” with my actual password, and kept /opt/nexus3/sonatype/nexus3/etc/nexus.properties as is, with the correct port number for https.

All of this worked just fine under 3.37.

Under 3.39, to be safe, I’ve replaced /opt/nexus3/etc/jetty/jetty-https.xml with the new one, putting the proper password values where needed. Everything else has been left untouched.

When I tried to start it up, it complains of

2022-06-21 21:38:06,223-0400 ERROR [jetty-main-1]  *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start        
java.io.IOException: Keystore was tampered with, or password was incorrect 

If I run the keytool utility to check the password, it runs OK:

[22:04:14|nexus@nexus:~/sonatype-work/nexus3/etc] keytool -list -keystore ssl/keystore.jks |head -5
Enter keystore password:  ******
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

I’m at loss to figure this one out.

Before you go and say anything about docker, please do remember that this container has been running 3.37 for some time, and some other versions for at least a year. It’s not a docker issue; it’s a keystore issue.


I’m red-faced and totally ashamed of myself…

I’ve just found out I was using keytool against my test Keystore, not the “prod” one, which is why it reported success, but failure when trying to start the service…