Nexus Repository Manager 3 using SSL Unreachable by browsers or Docker

up vote
0
down vote

favorite

I am not a java guy but we use Nexus for our NPM and Nuget packages and want to start using it to host Docker images as well but I cant seem to get SSL working using their guide. I am using version 3.14

I have generated the keystore and verified it works using:

My nexus.properties file contains

I have tried to update the local_policy.jar and US_export_policy.jar, tried updating the JRE and I still just get

ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome when I try the browser or TLS Handshake failed with Docker trying to login.

asked yesterday

user1689716

6428

1

Can you explain your choices when you generated your keystore? what algorithm? what bitsize? etc. Some choices will result in your issue.
– Joakim Erdfelt
yesterday

add a comment |

up vote
0
down vote

favorite

I have generated the keystore and verified it works using:

My nexus.properties file contains

I have tried to update the local_policy.jar and US_export_policy.jar, tried updating the JRE and I still just get

ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome when I try the browser or TLS Handshake failed with Docker trying to login.

asked yesterday

user1689716

6428

1

Can you explain your choices when you generated your keystore? what algorithm? what bitsize? etc. Some choices will result in your issue.
– Joakim Erdfelt
yesterday

add a comment |

up vote
0
down vote

favorite

I have generated the keystore and verified it works using:

My nexus.properties file contains

I have tried to update the local_policy.jar and US_export_policy.jar, tried updating the JRE and I still just get

ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome when I try the browser or TLS Handshake failed with Docker trying to login.

asked yesterday

user1689716

6428

I have generated the keystore and verified it works using:

My nexus.properties file contains

I have tried to update the local_policy.jar and US_export_policy.jar, tried updating the JRE and I still just get

ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome when I try the browser or TLS Handshake failed with Docker trying to login.

java ssl jetty nexus sonatype

asked yesterday

user1689716

6428

asked yesterday

user1689716

6428

asked yesterday

user1689716

6428

asked yesterday

user1689716

6428

asked yesterday

user1689716

6428

1

Can you explain your choices when you generated your keystore? what algorithm? what bitsize? etc. Some choices will result in your issue.
– Joakim Erdfelt
yesterday

add a comment |

1

Can you explain your choices when you generated your keystore? what algorithm? what bitsize? etc. Some choices will result in your issue.
– Joakim Erdfelt
yesterday

Can you explain your choices when you generated your keystore? what algorithm? what bitsize? etc. Some choices will result in your issue.
– Joakim Erdfelt
yesterday

add a comment |

2 Answers
2

active

oldest

votes

up vote
1
down vote

Since you are generating your keystore, make sure you use the following general advice.

Use AES or RSA (not DSA or DES) for your key algorithm

Use 2048 bits (or larger. go for 4096)

Use a strong signature algorithm, such as SHA256 or SHA512 (not SHA, SHA1, MD5)

Keystore type should be PKCS12 or JKS (for Java KeyStore)

If you use DSA or DES you will not be able to connect.
If you use too low of a bitsize you will not be able to connect.
If you use a poor signature algorithm, you will not be able to connect.

See https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html for examples on generating a keystore using either keytool or openssl.

answered yesterday

Joakim Erdfelt

31.9k45594

add a comment |

up vote
0
down vote

I found the issue. It was in how I was generating the keystore. I was using a .pfx exported cert from windows and had tried to split it into separate parts before importing to the keystore.

Once I just tried to import the pfx cert containing the private key as well, it worked. It was just appearing to work since the test

was returning the cert error free.

answered yesterday

user1689716

6428

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53183851%2fnexus-repository-manager-3-using-ssl-unreachable-by-browsers-or-docker%23new-answer', 'question_page');
}
);

Post as a guest

Name

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

up vote
1
down vote

Since you are generating your keystore, make sure you use the following general advice.

Use AES or RSA (not DSA or DES) for your key algorithm

Use 2048 bits (or larger. go for 4096)

Use a strong signature algorithm, such as SHA256 or SHA512 (not SHA, SHA1, MD5)

Keystore type should be PKCS12 or JKS (for Java KeyStore)

If you use DSA or DES you will not be able to connect.
If you use too low of a bitsize you will not be able to connect.
If you use a poor signature algorithm, you will not be able to connect.

See https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html for examples on generating a keystore using either keytool or openssl.

answered yesterday

Joakim Erdfelt

31.9k45594

add a comment |

up vote
1
down vote

Since you are generating your keystore, make sure you use the following general advice.

Use AES or RSA (not DSA or DES) for your key algorithm

Use 2048 bits (or larger. go for 4096)

Use a strong signature algorithm, such as SHA256 or SHA512 (not SHA, SHA1, MD5)

Keystore type should be PKCS12 or JKS (for Java KeyStore)

If you use DSA or DES you will not be able to connect.
If you use too low of a bitsize you will not be able to connect.
If you use a poor signature algorithm, you will not be able to connect.

See https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html for examples on generating a keystore using either keytool or openssl.

answered yesterday

Joakim Erdfelt

31.9k45594

add a comment |

up vote
1
down vote

Since you are generating your keystore, make sure you use the following general advice.

Use AES or RSA (not DSA or DES) for your key algorithm

Use 2048 bits (or larger. go for 4096)

Use a strong signature algorithm, such as SHA256 or SHA512 (not SHA, SHA1, MD5)

Keystore type should be PKCS12 or JKS (for Java KeyStore)

If you use DSA or DES you will not be able to connect.
If you use too low of a bitsize you will not be able to connect.
If you use a poor signature algorithm, you will not be able to connect.

See https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html for examples on generating a keystore using either keytool or openssl.

answered yesterday

Joakim Erdfelt

31.9k45594

Since you are generating your keystore, make sure you use the following general advice.

Use AES or RSA (not DSA or DES) for your key algorithm

Use 2048 bits (or larger. go for 4096)

Use a strong signature algorithm, such as SHA256 or SHA512 (not SHA, SHA1, MD5)

Keystore type should be PKCS12 or JKS (for Java KeyStore)

If you use DSA or DES you will not be able to connect.
If you use too low of a bitsize you will not be able to connect.
If you use a poor signature algorithm, you will not be able to connect.

See https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html for examples on generating a keystore using either keytool or openssl.

answered yesterday

Joakim Erdfelt

31.9k45594

answered yesterday

Joakim Erdfelt

31.9k45594

answered yesterday

Joakim Erdfelt

31.9k45594

answered yesterday

Joakim Erdfelt

31.9k45594

add a comment |

up vote
0
down vote

I found the issue. It was in how I was generating the keystore. I was using a .pfx exported cert from windows and had tried to split it into separate parts before importing to the keystore.

Once I just tried to import the pfx cert containing the private key as well, it worked. It was just appearing to work since the test

was returning the cert error free.

answered yesterday

user1689716

6428

add a comment |

up vote
0
down vote

I found the issue. It was in how I was generating the keystore. I was using a .pfx exported cert from windows and had tried to split it into separate parts before importing to the keystore.

Once I just tried to import the pfx cert containing the private key as well, it worked. It was just appearing to work since the test

was returning the cert error free.

answered yesterday

user1689716

6428

add a comment |

up vote
0
down vote

I found the issue. It was in how I was generating the keystore. I was using a .pfx exported cert from windows and had tried to split it into separate parts before importing to the keystore.

Once I just tried to import the pfx cert containing the private key as well, it worked. It was just appearing to work since the test

was returning the cert error free.

answered yesterday

user1689716

6428

I found the issue. It was in how I was generating the keystore. I was using a .pfx exported cert from windows and had tried to split it into separate parts before importing to the keystore.

Once I just tried to import the pfx cert containing the private key as well, it worked. It was just appearing to work since the test

was returning the cert error free.

answered yesterday

user1689716

6428

answered yesterday

user1689716

6428

answered yesterday

user1689716

6428

answered yesterday

user1689716

6428

add a comment |

draft saved

draft discarded

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Name

This page is only for reference, If you need detailed information, please check here

lfRurq8RIn9rdnN,eEyk3ByPn9mPDCMKLffSVc

搜尋此網誌

Zystkmt