SSL Handshack Exception with cdn.redhat.com
641 views
Skip to first unread message
Tim O'Grady
Mar 3, 2023, 12:14:05 AM3/3/23
to Nexus Users
Hi
Getting this error when trying to proxy RHEL yum repos from .cdt.redhat.com
Exception javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints checking remote for update,
Cannot seem to get more verbose logging to identify whats wrong.
I am not using a reverse proxy.
I can curl to the same URL using the same certs and the repomd.xml file is returned okay.
Fabrice Bacchella
Mar 3, 2023, 10:12:24 AM3/3/23
to Tim O'Grady, Nexus Users
What is your JVM version (major and minor) ?
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/b1b06537-b3fd-4f7b-95fb-2254556b4fd1n%40glists.sonatype.com.
Tim O'Grady
Mar 5, 2023, 5:22:48 PM3/5/23
to Nexus Users, fbacc...@gmail.com, Nexus Users, Tim O'Grady
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el9_1.x86_64/jre/bin/java -version
openjdk version "1.8.0_352"
OpenJDK Runtime Environment (build 1.8.0_352-b08)
OpenJDK 64-Bit Server VM (build 25.352-b08, mixed mode)
openjdk version "1.8.0_352"
OpenJDK Runtime Environment (build 1.8.0_352-b08)
OpenJDK 64-Bit Server VM (build 25.352-b08, mixed mode)
Tim O'Grady
Mar 5, 2023, 6:34:23 PM3/5/23
to Nexus Users, Tim O'Grady, fbacc...@gmail.com, Nexus Users
from Nexus
java.version
1.8.0_352
java.vm.info
mixed mode
java.vm.name
OpenJDK 64-Bit Server VM
java.vm.specification.name
Java Virtual Machine Specification
java.vm.specification.vendor
Oracle Corporation
java.vm.specification.version
1.8
java.vm.vendor
Red Hat, Inc.
java.vm.version
25.352-b08
javax.xml.bind.JAXBContext
com.sun.xml.bind.v2.ContextFactory
jdk.tls.ephemeralDHKeySize
2048
1.8.0_352
java.vm.info
mixed mode
java.vm.name
OpenJDK 64-Bit Server VM
java.vm.specification.name
Java Virtual Machine Specification
java.vm.specification.vendor
Oracle Corporation
java.vm.specification.version
1.8
java.vm.vendor
Red Hat, Inc.
java.vm.version
25.352-b08
javax.xml.bind.JAXBContext
com.sun.xml.bind.v2.ContextFactory
jdk.tls.ephemeralDHKeySize
2048
Tim O'Grady
Mar 5, 2023, 11:58:07 PM3/5/23
to Nexus Users, Tim O'Grady, fbacc...@gmail.com, Nexus Users
Turned out to be a RHEL 9 issue.
Found it by turning on the javax.net.debug
Set '-Djavax.net.debug=all' in nexus.vmoptions
From nexus.log
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
The root CA certificate uses SHA1withRSA signature algorithm.
"Starting in RHEL 9, the use of the SHA-1 algorithm for creating and verifying signatures is restricted with the DEFAULT cryptographic policy"
"Starting in RHEL 9, the use of the SHA-1 algorithm for creating and verifying signatures is restricted with the DEFAULT cryptographic policy"
Update the crypto policy to allow SHA1 algorithms.
sudo update-crypto-policies --set DEFAULT:SHA1
Reply all
Reply to author
Forward
0 new messages