我已在 CentOS Linux 版本 7.4.1708 上安装了 Nexus Repository Manager OSS 3.0.2-02。
我还有 CA 证书:
Issued to: \*.mycompany.com
Issued by: Go Daddy Secure Certificate Authority - G2
Valid from 2016-11-12 to 2018-01-11
RSA 私钥与我的 CA 证书匹配,已使用 Certificate Key Matcher 检查并报告:
The certificate and private key match!
在 Nexus3 目录中我进行了以下更改:
添加到文件org.sonatype.nexus.cfg
以下行:
nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-requestlog.xml,${karaf.etc}/jetty-https.xml
application-port-ssl=8443
添加到 jetty-https.xml
文件下一行:
KeyStorePath /ssl/test.jks
KeyStorePassword 123456
KeyManagerPassword 123456
TrustStorePath ssl/test.jks
TrustStorePassword 123456
在 $NEXUS_HOME/etc/
中创建 SSL 目录,并在 SSL 目录内创建 Java keystore 文件 test.jks
,命令为:
openssl pkcs12 -export -in mycompany.com.pem -inkey key.pem -name xxx.mycompany.com -out test.pks
keytool -importkeystore -deststorepass 123456 -destkeystore test.jks -srckeystore test.pks -srcstoretype PKCS12
keytool -import -alias bundle -trustcacerts -file gd_bundle.crt -keystore test.jks
Nexus 重新启动后,我无法通过 URL //xxx.mycompany.com:8443
访问它。火狐浏览器说:
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified
还尝试执行:docker登录xxx.mycompany.com:8443
并提供默认admin:admin:123
凭据原因:
Error response from daemon: Get xxx.mycompany.com:8443/v1/users/: x509: certificate signed by unknown authority
我还尝试通过 Google 的各种场景链接证书,包括 How to add certificate chain to keystore? ,但在 Docker 上出现错误:
Error response from daemon: Get //xxx.mycompany.com:8443/v1/users/: EOF
在 Firefox 上,与第一次相同,在 Chrome 上:
//xxx.mycompany.com unexpectedly closed the connection
问题:我的错误在哪里,或者如何在Nexus3上正确安装CA证书?
最佳答案
我已经找到解决办法了。只需要在 jetty-https.xml
下一行中设置:
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
关于ssl-certificate - 如何在 Nexus 3 上安装 CA 证书?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46790751/