Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10037

NPM tarballs proxied over http may be fetched remotely over https


    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0, 2.12.1
    • Fix Version/s: None
    • Component/s: NPM
    • Labels:
    • Story Points:


      This is the opposite problem described in NEXUS-6889.

      Configure an NPM proxy repository in Nexus to http://registry.npmjs.org. The intent to do this is to avoid going through an internal HTTP proxy server that affects requests using HTTPS.

      Nexus makes primary metadata outbound requests to http://registry.npmjs.org, however metadata at that site may contain links to https://registry.npmjs.org tarballs. These https tarball urls are cached inside Nexus.

      When a user configures Nexus to talk to http://registry.npmjs.org, they expect all communication to the remote to be over http - where this may matter is if they have Nexus configured with an HTTP proxy server that rewrites SSL certificates of the remote. They do not realize they need to explicitly trust the certificate that the proxy to https://registry.npmjs.org is returning because they have told Nexus to use http to the remote.


      2016-04-04 14:40:31,760-0300 WARN  [qtp1023322936-1073] *UNKNOWN com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl - Failed to fetch: https://registry.npmjs.org/requirejs/-/requirejs-2.2.0.tgz
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


          Issue Links



              • Assignee:
                plynch Peter Lynch
                Last Updated By:
                Joe Tom
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created:
                  Date of First Response: