My company does the typical MITM of SSL with an HTTP proxy. When I updated to the latest sonatype/nexus3 container for 3.18.1, none of the ssl proxies work because the certs are considered invalid (they are RSA 1024). I have uploaded the company’s root cert which worked before, but the child certs no longer work.
I have tried changing the java disabledAlgorithms property, but it doesn’t affect anything. (I think because nexus is not using the default truststore)
I had already imported the company’s root certificate. This is the exception I get when trying to click “View Certificate” in the application:
2019-09-16 15:18:26,155+0000 INFO [qtp508825405-5366] admin com.sonatype.nexus.ssl.plugin.internal.CertificateRetriever - Retrieving certificate from https://registry-1.docker.io:443
2019-09-16 15:18:26,748+0000 ERROR [qtp508825405-5366] admin org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: ssl_Certificate.retrieveFromHost, java-method: com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost
java.io.IOException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
I think we’ll need to see the full log. Open an issue in the “dev - nexus” project at https://issues.sonatype.org, and attach the nexus.log file there.
We faced a similiar issue. Same error message and same “upgrading Nexus …” situation, but in our case the Active Directory authentication triggered the error message. The AD’s SSL certificate has a key of 1024 bits.