Dev - Nexus
  1. Dev - Nexus
  2. NEXUS-65

Cannot proxy/mirror an https repository

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-beta-3
    • Fix Version/s: 1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      CentOS release 5 (Final)

      java version "1.5.0_13"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05)
      Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_13-b05, mixed mode)
    • Global Rank:
      5821

      Description

      I added a proxy repository to https://maven.atlassian.com/repository/public

      However it is unavailable to Nexus, although I can see it thru my web-browser.

      2008-05-30 12:06:54.203 INFO [pool-132-thread-1:] - org.apache.commons.httpclient.HttpMethodBase: Response content length is not known
      2008-05-30 12:06:55.373 ERROR [pool-132-thread-1:] - org.sonatype.nexus.proxy.storage.remote.RemoteRepositoryStorage:apacheHttpClient3x: Tranport error while executing HEAD method
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
      at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
      at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
      at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
      at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
      at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
      at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
      at org.sonatype.nexus.proxy.storage.remote.commonshttpclient.CommonsHttpClientRemoteStorage.executeMethod(CommonsHttpClientRemoteStorage.java:394)
      at org.sonatype.nexus.proxy.storage.remote.commonshttpclient.CommonsHttpClientRemoteStorage.containsItem(CommonsHttpClientRemoteStorage.java:86)
      at org.sonatype.nexus.proxy.storage.remote.AbstractRemoteRepositoryStorage.containsItem(AbstractRemoteRepositoryStorage.java:144)
      at org.sonatype.nexus.proxy.storage.remote.AbstractRemoteRepositoryStorage.isReachable(AbstractRemoteRepositoryStorage.java:128)
      at org.sonatype.nexus.proxy.repository.AbstractRepository.isRemoteStorageReachable(AbstractRepository.java:431)
      at org.sonatype.nexus.proxy.repository.AbstractRepository$1.run(AbstractRepository.java:215)
      at edu.emory.mathcs.backport.java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:442)
      at edu.emory.mathcs.backport.java.util.concurrent.FutureTask.run(FutureTask.java:178)
      at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
      at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
      at java.lang.Thread.run(Thread.java:595)
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
      at sun.security.validator.Validator.validate(Validator.java:203)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
      ... 28 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
      ... 33 more
      2008-05-30 12:07:03.330 INFO [btpool0-15 - /nexus/service/local/repositories/atlassian-public/status?undefined:] - org.sonatype.nexus.proxy.registry.RepositoryRegistry:default: Added repository ID=atlassian-public (contentClass=maven2)
      2008-05-30 12:07:03.330 INFO [btpool0-15 - /nexus/service/local/repositories/atlassian-public/status?undefined:] - org.sonatype.nexus.configuration.NexusConfiguration:default: Applying Nexus Configuration...
      2008-05-30 12:07:03.333 WARN [pool-135-thread-1:] - org.apache.commons.httpclient.HttpMethodDirector: Required credentials not available for BASIC <any realm>@maven.atlassian.com:443
      2008-05-30 12:07:03.333 WARN [pool-135-thread-1:] - org.apache.commons.httpclient.HttpMethodDirector: Preemptive authentication requested but no default credentials available
      2008-05-30 12:07:03.336 INFO [pool-135-thread-1:] - org.apache.commons.httpclient.HttpMethodBase: Response content length is not known
      2008-05-30 12:07:05.122 ERROR [pool-135-thread-1:] - org.sonatype.nexus.proxy.storage.remote.RemoteRepositoryStorage:apacheHttpClient3x: Tranport error while executing HEAD method
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
      at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
      at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
      at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
      at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
      at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
      at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
      at org.sonatype.nexus.proxy.storage.remote.commonshttpclient.CommonsHttpClientRemoteStorage.executeMethod(CommonsHttpClientRemoteStorage.java:394)
      at org.sonatype.nexus.proxy.storage.remote.commonshttpclient.CommonsHttpClientRemoteStorage.containsItem(CommonsHttpClientRemoteStorage.java:86)
      at org.sonatype.nexus.proxy.storage.remote.AbstractRemoteRepositoryStorage.containsItem(AbstractRemoteRepositoryStorage.java:144)
      at org.sonatype.nexus.proxy.storage.remote.AbstractRemoteRepositoryStorage.isReachable(AbstractRemoteRepositoryStorage.java:128)
      at org.sonatype.nexus.proxy.repository.AbstractRepository.isRemoteStorageReachable(AbstractRepository.java:431)
      at org.sonatype.nexus.proxy.repository.AbstractRepository$1.run(AbstractRepository.java:215)
      at edu.emory.mathcs.backport.java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:442)
      at edu.emory.mathcs.backport.java.util.concurrent.FutureTask.run(FutureTask.java:178)
      at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
      at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
      at java.lang.Thread.run(Thread.java:595)
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
      at sun.security.validator.Validator.validate(Validator.java:203)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
      ... 28 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
      ... 33 more
      2008-05-30 12:12:36.716 INFO [btpool0-15 - /nexus/service/local/logs?_dc=1212138283590:] - org.sonatype.nexus.Nexus:default: List log files.
      2008-05-30 12:12:40.728 INFO [btpool0-15 - /nexus/service/local/logs/nexus.log?_dc=1212138287606:] - org.sonatype.nexus.Nexus:default: Retrieving nexus.log log file.

        Activity

        Hide
        Tamás Cservenák added a comment -

        Hi there, it seems you are hitting this Java bug:

        http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6647251

        It seems you need Java5 Update 15 OR Java6 Update 5 to have DigiCert CA delivered with JRE (Atlassian uses DigiCert CA issues cert for repo it seems, which is unrecognized by your JRE as CA, hence treats it as "self-signed" and refuses to connect to it).

        As i see, you are on Java5 Update 13.

        Please try to upgrade to the latest, and report the results.

        Show
        Tamás Cservenák added a comment - Hi there, it seems you are hitting this Java bug: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6647251 It seems you need Java5 Update 15 OR Java6 Update 5 to have DigiCert CA delivered with JRE (Atlassian uses DigiCert CA issues cert for repo it seems, which is unrecognized by your JRE as CA, hence treats it as "self-signed" and refuses to connect to it). As i see, you are on Java5 Update 13. Please try to upgrade to the latest, and report the results.
        Hide
        Kristine O'Connor added a comment -

        I tested this using the JRE version 1.6.0_06 and JDK version 1.6.0_06 and noted the same errors logged in the nexus.log.

        Show
        Kristine O'Connor added a comment - I tested this using the JRE version 1.6.0_06 and JDK version 1.6.0_06 and noted the same errors logged in the nexus.log.
        Hide
        Neil Crow added a comment -

        Hi,

        I tried it out this afternoon with Java5 Update 15, but same result.
        I'm now following a lead with the security staff, it may be the way the proxy is set up to inspect https traffic.

        I'll post here again when I have the results.

        Neil.

        Show
        Neil Crow added a comment - Hi, I tried it out this afternoon with Java5 Update 15, but same result. I'm now following a lead with the security staff, it may be the way the proxy is set up to inspect https traffic. I'll post here again when I have the results. Neil.
        Hide
        Neil Crow added a comment - - edited

        Hooray! Its working for me.
        Thanks for your help, but it seems that it was the proxy configuration.
        The proxy servers are set up to inspect https traffic, after inspection the http response is re-encrypted with an organisational certificate which was not recognised by my java instance.

        Neil.

        Show
        Neil Crow added a comment - - edited Hooray! Its working for me. Thanks for your help, but it seems that it was the proxy configuration. The proxy servers are set up to inspect https traffic, after inspection the http response is re-encrypted with an organisational certificate which was not recognised by my java instance. Neil.
        Hide
        Tamás Cservenák added a comment -

        Can we close this issue?

        Show
        Tamás Cservenák added a comment - Can we close this issue?
        Hide
        Neil Crow added a comment -

        It is resolved for me, however I'm not sure if Kristine still has an issue.

        Show
        Neil Crow added a comment - It is resolved for me, however I'm not sure if Kristine still has an issue.
        Hide
        Tamás Cservenák added a comment -

        Commen or close please

        Show
        Tamás Cservenák added a comment - Commen or close please
        Hide
        Kristine O'Connor added a comment -

        No longer having any problems with these steps. Closing defect.

        Show
        Kristine O'Connor added a comment - No longer having any problems with these steps. Closing defect.
        Hide
        Craig Morrison added a comment -

        For the benefits of others, I encountered the same issue in our organisation when trying to mirror Atlassian's repository (https://m2proxy.atlassian.com/repository/public). The Nexus instance is behind our firewall. It turned out that our firewall was presenting it's own certificate to the client instead of Atlassian's one. The error was resolved when a rule was added to the firewall to not "replace" the certificate in the specific case of Atlassian's site.

        One can see the certificate being used via a browser.

        Show
        Craig Morrison added a comment - For the benefits of others, I encountered the same issue in our organisation when trying to mirror Atlassian's repository ( https://m2proxy.atlassian.com/repository/public ). The Nexus instance is behind our firewall. It turned out that our firewall was presenting it's own certificate to the client instead of Atlassian's one. The error was resolved when a rule was added to the firewall to not "replace" the certificate in the specific case of Atlassian's site. One can see the certificate being used via a browser.

          People

          • Assignee:
            Kristine O'Connor
            Reporter:
            Deleted User
            Last Updated By:
            Rich Seddon
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: