My company does the typical MITM of SSL with an HTTP proxy. When I updated to the latest sonatype/nexus3 container for 3.18.1, none of the ssl proxies work because the certs are considered invalid (they are RSA 1024). I have uploaded the company’s root cert which worked before, but the child certs no longer work.
I have tried changing the java disabledAlgorithms property, but it doesn’t affect anything. (I think because nexus is not using the default truststore)
See the article below. And be sure to remove the old certificate from the Nexus truststore.
I had already imported the company’s root certificate. This is the exception I get when trying to click “View Certificate” in the application:
2019-09-16 15:18:26,155+0000 INFO [qtp508825405-5366] admin com.sonatype.nexus.ssl.plugin.internal.CertificateRetriever - Retrieving certificate from https://registry-1.docker.io:443
2019-09-16 15:18:26,748+0000 ERROR [qtp508825405-5366] admin org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: ssl_Certificate.retrieveFromHost, java-method: com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost
java.io.IOException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
I think we’ll need to see the full log. Open an issue in the “dev - nexus” project at https://issues.sonatype.org, and attach the nexus.log file there.
Rich
I’ll open an issue. I also confirmed that it was Ok with sonatype/nexus3:3.17.0 and broken with sonatype/nexus3:3.18.0
We faced a similiar issue. Same error message and same “upgrading Nexus …” situation, but in our case the Active Directory authentication triggered the error message. The AD’s SSL certificate has a key of 1024 bits.
@jhawk28 I’ve checked the Sonatype JIRA and didn’t see an issue about this problem, so I created a new issue.
https://issues.sonatype.org/browse/NEXUS-21356
It seems like the change in base OS version here (which was done for security reasons) may have something to do with this:
If you change it back to centos7 locally does it start working?
I believe the crypto policy is being defined in “/etc/crypto-policies/back-ends/java.config” in the OS.
Specifically, I think this line needs to be changed to “RSA keySize < 1024”, or just remove the line entirely to work around this.
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048