Unable to proxy Maven repo over https/ssl with Nexus

Question

I followed the instructions given on this page to import the server certificate.

When I use keytool -list, I can see that the certificate is actually in the keystore. If I try to import the .crt file, keytool warns me that the keystore already contains the certificate.

Then I updated wrapper.conf with the two ssl options. I can see them on the command line of the Nexus process after a restart.

But when I try to add a proxy repo for the remote server, I always get sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What did I miss?

Answer 1

You have to import the custom CA certificate into the 'trustStore' and not into the 'keyStore'.

The procedure for creating a 'trustStore' is the same as the one for the 'keyStore'. Once you have your *.jks file then link it using the following system properties:

javax.net.ssl.trustStore=<file>
javax.net.ssl.trustStorePassword=<password>

Answer 2

Error message means the JVM cannot properly authenticate the remote server's SSL cert. Very common if the remote server is using a self-signed cert instead of one signed by an official certificate authority (like verisign).

Your message is confusing. You've enabled SSL on your Nexus instance, however you talk about a proxy repo implying the problem SSL cert might be on another server.