nexus 3.0 to 3.1 upgrade no valid keystore
3,105 views
Skip to first unread message
morten bjoernsvik
Nov 4, 2016, 8:10:14 AM11/4/16
to Nexus Users
Hi
I'm following: https://support.sonatype.com/hc/en-us/articles/231723267
I'm unable to get my keystore loaded.
I've not touched anything under nexus-3.1.0-04/etc only under sonatype-work/nexus3/etc
I do not see any path or error helping me in the log either.
Any input very appreciated.
Thanks
--
MortenB
I'm following: https://support.sonatype.com/hc/en-us/articles/231723267
I'm unable to get my keystore loaded.
I've not touched anything under nexus-3.1.0-04/etc only under sonatype-work/nexus3/etc
I do not see any path or error helping me in the log either.
2016-11-04 12:54:34,172+0100 ERROR [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
java.lang.IllegalStateException: no valid keystore
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:48) [org.eclipse.jetty.util:9.3.7.v20160115]
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016) [org.eclipse.jetty.util:9.3.7.v20160115]
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332) [org.eclipse.jetty.util:9.3.7.v20160115]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [org.eclipse.jetty.util:9.3.7.v20160115]
:$ ls -lR /opt/nexus/sonatype-work/nexus3/etc/jetty/
/opt/nexus/sonatype-work/nexus3/etc/jetty/:
total 8
-rw-r--r-- 1 nexus nexus 3714 Nov 4 12:53 jetty-https.xml
drwxr-sr-x 2 nexus nexus 4096 Nov 4 12:23 ssl
/opt/nexus/sonatype-work/nexus3/etc/jetty/ssl:
total 16
-rw-r--r-- 1 nexus nexus 5122 Nov 4 12:23 nexus3.jks
-rw-r--r-- 1 nexus nexus 4194 Nov 4 12:23 nexus3.p12
$ diff /opt/nexus/nexus-3.0.2-02/etc/jetty-https.xml /opt/nexus/sonatype-work/nexus3/etc/jetty/jetty-https.xml
24c24
< <Set name="KeyStorePath"><Property name="karaf.etc"/>/ssl/nexus3.jks</Set>
---
> <Set name="KeyStorePath"><Property name="ssl.etc"/>/ssl/nexus3.jks</Set>
27c27
< <Set name="TrustStorePath"><Property name="karaf.etc"/>/ssl/nexus3.jks</Set>
---
> <Set name="TrustStorePath"><Property name="ssl.etc"/>/ssl/nexus3.jks</Set>
$ cat /opt/nexus/sonatype-work/nexus3/etc/nexus.properties
# Jetty section
application-host=0.0.0.0
#nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-requestlog.xml
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml
nexus-context-path=/
application-port-ssl=8443
# Nexus section
nexus-edition=nexus-pro-edition
nexus-features=\
nexus-pro-feature
Any input very appreciated.
Thanks
--
MortenB
Stuart McCulloch
Nov 4, 2016, 8:39:15 AM11/4/16
to morten bjoernsvik, Nexus Users
Hi,
First, the only file loaded from sonatype-work/nexus3/etc is “nexus.properties” which lets you override various properties in the configuration templates. Note you can find the default values for these properties in $install-dir/etc/nexus-default.properties.
If you need to further customise configuration files (over and above the existing property placeholders) then you need to change them under $install-dir/etc.
Second, you currently set the keystore and truststore paths to:
<Property name="ssl.etc"/>/ssl/nexus3.jks
<Property name="ssl.etc"/>/ssl/nexus3.jks
Since ${ssl.etc} is defined as ${install-dir}/etc/ssl these will resolve to:
${install-dir}/etc/ssl/ssl/nexus3.jks
${install-dir}/etc/ssl/ssl/nexus3.jks
If you remove the extra “/ssl” from your store path settings in your jetty configuration (make sure those jetty files are located in $install-dir/etc/jetty) and move your keystore and truststore files to ${install-dir}/etc/ssl then they should load.
--
Cheers, Stuart
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/b0d64866-64bb-45c4-8436-8a462f24638c%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.
Stuart McCulloch
Nov 4, 2016, 9:03:21 AM11/4/16
to morten bjoernsvik, Nexus Users
I went back and checked https://support.sonatype.com/hc/en-us/articles/231723267 and some of those instructions are incorrect.
Many apologies for any inconvenience this has caused, I’ve asked for them to be updated as soon as possible.
Basically from 3.0 to 3.1, three main things happened with the configuration and default data directory:
1) $install-dir/etc was split into subdirectories to help make it clear which configurations need to be edited for which subsystem
2) $install-dir/etc/org.sonatype.nexus.cfg became $install-dir/etc/nexus-default.properties (containing default out-of-the-box values)
and $data-dir/etc/nexus.properties (containing your custom overrides to the defaults, to help carry them over as you upgrade)
3) The default $data-dir which was $install-dir/data became $install-dir/../sonatype-work/nexus3 to decouple it from the installation
We also introduced some extra properties to help with the new layout ($ssl.etc for $install-dir/etc/ssl, and so on)
Hope this helps
morten bjoernsvik
Nov 4, 2016, 10:55:25 AM11/4/16
to Nexus Users, morten.b...@gmail.com
Thanks for the clarification.
I moved the nexus3.jks to /opt/nexus/nexus-3.1.0-04/etc/ssl and updated /opt/nexus/nexus-3.1.0-04/etc/jetty/jetty-https.xml and now it starts up.
I wrongly assumed all config overrides was under /opt/nexus/sonatype-work. I will delete the rest of the config I've added to sonatype-work.
Thanks again.
I moved the nexus3.jks to /opt/nexus/nexus-3.1.0-04/etc/ssl and updated /opt/nexus/nexus-3.1.0-04/etc/jetty/jetty-https.xml and now it starts up.
I wrongly assumed all config overrides was under /opt/nexus/sonatype-work. I will delete the rest of the config I've added to sonatype-work.
Thanks again.
Gilberto A Lima
May 17, 2018, 12:15:29 PM5/17/18
to Nexus Users, morten.b...@gmail.com
Could you tell me how you generated .jks, and how is your jetty-https.xml file please? I tried to follow the steps in:
Example:
jetty-https.xml
<Set name="KeyStorePath"><Property name="ssl.etc"/>/etc/ssl/my.jks</Set>
<Set name="TrustStorePath"><Property name="ssl.etc"/>/etc/ssl/my.jks</Set>
<Set name="KeyStorePath"><Property name="ssl.etc"/>/etc/ssl/my.jks</Set>
<Set name="TrustStorePath"><Property name="ssl.etc"/>/etc/ssl/my.jks</Set>
nexus.properties:
application-port-ssl=8443
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml
but, I still have the same error: "failed to start, no valid keystore"
Thanks
Gilberto A Lima
Rich Seddon
May 17, 2018, 12:33:53 PM5/17/18
to Nexus Users
<Set name="KeyStorePath"><Property name="ssl.etc"/>/etc/ssl/my.jks</Set>
<Set name="TrustStorePath"><Property name="ssl.etc"/>/etc/ssl/my.jks</Set>
The "ssl.etc" property expands to "$INSTALL_DIR/etc/ssl".
With your settings Nexus would be looking for the keystore in $INSTALL_DIR/etc/ssl/etc/ssl/my.jks. I'm guessing that isn't what you want?
With your settings Nexus would be looking for the keystore in $INSTALL_DIR/etc/ssl/etc/ssl/my.jks. I'm guessing that isn't what you want?
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/65339b93-1f41-4ebd-8fec-15d1d0af8388%40glists.sonatype.com.
Gilberto A Lima
May 17, 2018, 2:48:51 PM5/17/18
to Nexus Users
Now I can load this keystore, but I have this alert in the LOG and the application does not open, can be problem generating my .jks?
for now the application works only in http but not in https
Thanks for the help
2018-05-17 18:41:48,516+0000 WARN [qtp1134232997-46] *SYSTEM org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@1908c0e8[p=1,l=517,c=8192,r=516]={\x16<<<\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03(\x88\xDe\x8f\x03\x9d\x9f...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Rich Seddon
May 17, 2018, 3:59:49 PM5/17/18
to Nexus Users
2018-05-17 18:41:48,516+0000 WARN [qtp1134232997-46] *SYSTEM org.eclipse.jetty.http.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@1908c0e8[p=1,l=517,c=8192,r=516]={\x16<<<\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03(\x88\xDe\x8f\x03\x9d\x9f...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
That message looks like something you might get if you were trying to connect to an HTTP port via HTTPS...
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d62f0f56-9ef0-4102-9096-52052485522f%40glists.sonatype.com.
Gilberto A Lima
May 17, 2018, 9:38:05 PM5/17/18
to Nexus Users
That was exactly it, the bind port of the docker container and bind port application were different, for now everything is working!
Thanks ever so much!
--
Gilberto A Lima
Reply all
Reply to author
Forward
0 new messages