- Ways of building
Configure HTTPS
Generate keystore file
Add an SSL port
Add HTTPS Support Profile
Modify the HTTPS configuration file
Verification
Restart service
Web access
docker configuration
Login error
1 - Modify the daemon.json file
2 - Configure ca-trust (centos)
Reference materials
Ways of building
Nexus Officially Provides Two Ways to Build SSL
- The first is the reverse proxy server. Nexus Repository Manager uses HTTP to provide services to the outside world, and then uses reverse proxy servers such as Nginx to provide HTTPS services to the outside world. However, HTTP interaction is still used between the reverse proxy server and Nexus Repository Manager.
- The second is more normal, do some configuration on Nexus Repository Manager, so that Nexus Repository Manager directly provides HTTPS services to the outside world.
This article mainly describes the second way.
Configure HTTPS
Generate keystore file
Execute commands in the project's $install-dir/etc/ssl/ directory
#{NEXUS_DOMAIN} = nexus is the server domain name #{NEXUS_IP} = 192.168.59.1 is the server IP $ cd $install-dir/etc/ssl/ $ keytool -genkeypair -keystore keystore.jks -storepass nexus3 -keypass nexus3 -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=*.{NEXUS_DOMAIN}, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" -ext "SAN=DNS:{NEXUS_DOMAIN},IP:{NEXUS_IP}" -ext "BC=ca:true"
Add an SSL port
Modify the $data-dir/etc/nexus.properties file and add application-port-ssl=8443 on the first line
Add HTTPS Support Profile
Modify the $data-dir/etc/nexus.properties file, change the value of Key to the row where nexus-args is located, and add, ${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-http-redirect-to-https.xml later.
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-http-redirect-to-https.xml
Modify the HTTPS configuration file
Modify the configuration of keystore and truststore in the ${jetty.etc}/jetty-https.xml file
<Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> <Set name="KeyStorePassword">nexus3</Set> <Set name="KeyManagerPassword">nexus3</Set> <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> <Set name="TrustStorePassword">nexus3</Set>
Verification
Restart service
$nexus.exe /run
Web access
Visit http://localhost:8081/ or https://localhost:8443/. If you can open the page properly, the configuration is successful. Because jetty-http-redirect-to-https.xml is configured here, redirect is automatically redirected to the HTTPS address when accessing http.
docker configuration
Login error
[root@localhost docker]# docker login -u admin -p admin123 192.168.59.1:8551 Error response from daemon: Get https://192.168.59.1:8551/v1/users/: x509: certificate signed by unknown authority
Here's an interlude: Error response from daemon: Gethttps://192.168.59.1:8551/v1/users/:x509: cannot validate certificate for 192.168.59.1 because it does not contain any IP SANs when generating keystore
There are two ways to solve the above problems. The first one is to add insecure-registries, not to verify the authentication of SSL, and the second one is to install signature certificates to verify.
1 - No checking. Modify the daemon.json file
[root@localhost docker]# vi /etc/docker/daemon.json { "insecure-registries": [ "192.168.59.1:8551" ], "disable-legacy-registry": true } [root@localhost docker]# docker login -u admin -p admin123 192.168.59.1:8551 Login Succeeded
Or vim/etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 10.30.30.126:8123'
2- check. Configure ca-trust (centos)
[root@localhost docker]# docker login -u admin -p admin123 192.168.59.1:8551 Error response from daemon: Get https://192.168.59.1:8551/v2/: x509: certificate has expired or is not yet valid
After the search, most people say that the server time is not synchronized. The solution is as follows:
# Solve the time zone problem first [root@localhost ~]# ls -l /etc/localtime lrwxrwxrwx. 1 root root 38 Apr 25 07:09 /etc/localtime -> ../usr/share/zoneinfo/America/New_York [root@localhost ~]# rm -f /etc/localtime [root@localhost ~]# ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # In solving the problem of time [root@localhost docker]# yum install ntp.x86_64 # List of available NTP servers http://www.ntp.org.cn/pool.php [root@localhost docker]# ntpdate cn.ntp.org.cn Jun 17:50:20 ntpdate[18252]: no server suitable for synchronization found # Due to the company proxy server problem, the NTP server can not be connected, so manual setup [root@localhost ~]# date -s 20180606 Wed Jun 6 00:00:00 CST 2018 [root@localhost ~]# date -s 17:53:35 Wed Jun 6 17:53:35 CST 2018
Generate and import cert files based on CentOS 7.0
#Generate cert file [root@localhost ~]# keytool -printcert -sslserver 192.168.59.1:8443 -rfc >nexus.crt [root@localhost ~]# yum install ca-certificates [root@localhost ~]# update-ca-trust force-enable # It can also be placed in the / etc/docker/certs.d/192.168.59.1:8443 directory. [root@localhost ~]# mv nexus.crt /etc/pki/ca-trust/source/anchors/nexus.crt [root@localhost ~]# update-ca-trust [root@localhost ~]# service docker restart [root@localhost ~]# docker login -u admin -p admin123 192.168.59.1:8551 Error response from daemon: Get https://192.168.59.1:8551/v2/: x509: certificate signed by unknown authority
For Ubuntu systems, the storage path of certificates is / usr/local/share/ca-certificates
#Generate cert file [root@localhost ~]# keytool -printcert -sslserver 192.168.59.1:8443 -rfc >nexus.crt # It can also be placed in the / etc/docker/certs.d/192.168.59.1:8443 directory. [root@localhost ~]# mv nexus.crt /usr/local/share/ca-certificates/nexus.crt [root@localhost ~]# update-ca-certificates [root@localhost ~]# service docker restart [root@localhost ~]# docker login -u admin -p admin123 192.168.59.1:8551
As mentioned above, Unkonw authority is still an error. After searching, it is found that in general, certificates only support domain name access. To support IP address access, it is necessary to modify the configuration file openssl.cnf.
In Redhat7, the location of the file is / etc/pki/tls/openssl.cnf. In the [v3_ca] section, add the subjectAltName option:
[ v3_ca ] subjectAltName = IP:192.168.59.1
Execute docker login again
[root@localhost ~]# service docker restart [root@localhost ~]# docker login -u admin -p admin123 192.168.59.1:8551 Login Succeeded
So far, great success has been achieved!
Reference materials
SSL and Repository Connector Configuration : https://help.sonatype.com/repomanager3/private-registry-for-docker/ssl-and-repository-connector-configuration
Inbound SSL - Configuring to Serve Content via HTTPS :https://help.sonatype.com/repomanager3/security/configuring-ssl#ConfiguringSSL-InboundSSL-ConfiguringtoServeContentviaHTTPS
Using Self-Signed Certificates with Nexus Repository Manager and Docker Daemonhttps://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon
ca Certificate Verification User Certificate: https://www.cnblogs.com/cmsd/p/6078705.html
03 Build docker private warehouse: https://blog.csdn.net/gqtcgq/article/details/51163558
docker error: x509: certificate has expired or is not yet valid: https://blog.csdn.net/bjbs_270/article/details/48784807
linux Setup System Time: https://www.cnblogs.com/boshen-hzb/p/6269378.html