Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8790

make SSL trust error diagnosis easier when HTTP proxy server is not used

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.11.3
    • Fix Version/s: None
    • Component/s: Proxy Repository, UI
    • Labels:

      Description

      In NEXUS-5481 ( 2.4 ), we started including the reason a remote was blocked in the UI in certain cases.

      When an HTTP proxy server is used by Nexus, and Nexus encounters a trust issue with the certificate of the remote repo, then Nexus will display a message similar to the attached screenshot containing a message about the blocked repo cause "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".

      This only happens if the failure occurs on the HTTPS CONNECT operation - which only happens when tunneling through an HTTP proxy server.

      Problem: When some other firewall is used, and Nexus does not have an explicit HTTP proxy server configured, there is no CONNECT operation. Nexus will try a HEAD request first instead - this will fail with the above error, but only can be seen when Nexus ROOT logger is DEBUG, and then a GET request is made. The exception on the GET request is swallowed - not logged at all. There is no INFO or DEBUG level logging that prints the problem on a GET request.

      I can confirm though, that if the remote cert is specifically trusted using the SSL certificates feature of Nexus, the repository is no longer auto-blocked.

      Expected:

      • it should be easy to discover the cause of remote autoblocking
      • do not swallow the remote trust exception in the case where a HTTP proxy server is NOT being used and cert trust errors occur on the followup GET request
      • report the cause of the blocking in a manner similar to when an HTTP proxy server is being used

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title