Enabled SSL on Nexus Container and Firefox browser is getting "PR_CONNECT_RESET_ERROR"
by JockVSJock from LinuxQuestions.org on (#5R75W)
Not sure where to post this so I'll start here and I've been working on this for the last few days and not able to figure out where the issue lies.
I'm trying to enable SSL for a Nexus Container (v3.30.0) that lives on a RHEL 8 server.
Once enabling the cert and trying to get to the Nexus website from Firefox, I continue to get the following error: PR_CONNECT_RESET_ERRROR
I've tried basic troubleshooting, like clear tmp and cache from Firefox along with checking if there is any proxy servers and firewalls between the RHEL8 workstation and the server where the container is hosted and there isn't.
This is my process:
1. From the container, since Nexus is a Java based app, I'm using keytool to create a .jks file. From there I use the following command to validate it:
Code:keytool -list -v -keystore name_of_cert_here.jksComes back okay.
2. From there, I generate a .pem file with the following command:
Code:keytool -certreq -alias foo -file foo.pem -keystore name_of_cert_here.jks -ext 'SAN=DNS:xxxxxx,DNS:xxxxxxx,DNS:xxxxxxxxxx'3. I don't have a solid command to confirm the .pem, so I use the cat command and confirm there is output.
4. We are self-signing the cert, so the .pem and .jks goes to a CA that lives on a Windows Domain Controller, but is still on the same network. From there, the operator creates an root cert, intermediate cert and server cert (all .cer files).
5. Once that is complete, I import the .cer files back into the container and confirm the .pem and .jks is owned by nexus:nexus with octal permissions of 644. The .cer files are owned by root:root and octal permissions of 640. Right now I'm storing them under /opt/sonatype/nexus. Is this the correct place to place them (or should it be /etc/ssl)?
6. I import the .cer files into the keystore in the following order: root, intermediate and server cer. Validate them each I go along with the keytool command.
7. I make a few other changes to config files based off of best practices that Nexus recommends:
https://help.sonatype.com/repomanage...onfiguring-ssl
https://support.sonatype.com/hc/en-u...tificate-Guide
8. Once done I restart the container, I can only reach the web UI via HTTP from a Firefox browser. If I try HTTPS, that is when I get the "PR_CONNECT_RESET_ERROR."
We don't have any DNS servers or DNS enabled, so we are only going off of /etc/hosts list. I did try to use the server's name in the DNS when creating the DNS entries. Is this not a good practice? Can I use IP addresses only? I tried to use IP address and the port number and it wasn't accepted.
I'm also able to use curl -v command against the ip address using HTTP and get a return, no results when trying HTTPS.
If anyone has any advise or other things I can do to test, please let me know.
thanks
I'm trying to enable SSL for a Nexus Container (v3.30.0) that lives on a RHEL 8 server.
Once enabling the cert and trying to get to the Nexus website from Firefox, I continue to get the following error: PR_CONNECT_RESET_ERRROR
I've tried basic troubleshooting, like clear tmp and cache from Firefox along with checking if there is any proxy servers and firewalls between the RHEL8 workstation and the server where the container is hosted and there isn't.
This is my process:
1. From the container, since Nexus is a Java based app, I'm using keytool to create a .jks file. From there I use the following command to validate it:
Code:keytool -list -v -keystore name_of_cert_here.jksComes back okay.
2. From there, I generate a .pem file with the following command:
Code:keytool -certreq -alias foo -file foo.pem -keystore name_of_cert_here.jks -ext 'SAN=DNS:xxxxxx,DNS:xxxxxxx,DNS:xxxxxxxxxx'3. I don't have a solid command to confirm the .pem, so I use the cat command and confirm there is output.
4. We are self-signing the cert, so the .pem and .jks goes to a CA that lives on a Windows Domain Controller, but is still on the same network. From there, the operator creates an root cert, intermediate cert and server cert (all .cer files).
5. Once that is complete, I import the .cer files back into the container and confirm the .pem and .jks is owned by nexus:nexus with octal permissions of 644. The .cer files are owned by root:root and octal permissions of 640. Right now I'm storing them under /opt/sonatype/nexus. Is this the correct place to place them (or should it be /etc/ssl)?
6. I import the .cer files into the keystore in the following order: root, intermediate and server cer. Validate them each I go along with the keytool command.
7. I make a few other changes to config files based off of best practices that Nexus recommends:
https://help.sonatype.com/repomanage...onfiguring-ssl
https://support.sonatype.com/hc/en-u...tificate-Guide
8. Once done I restart the container, I can only reach the web UI via HTTP from a Firefox browser. If I try HTTPS, that is when I get the "PR_CONNECT_RESET_ERROR."
We don't have any DNS servers or DNS enabled, so we are only going off of /etc/hosts list. I did try to use the server's name in the DNS when creating the DNS entries. Is this not a good practice? Can I use IP addresses only? I tried to use IP address and the port number and it wasn't accepted.
I'm also able to use curl -v command against the ip address using HTTP and get a return, no results when trying HTTPS.
If anyone has any advise or other things I can do to test, please let me know.
thanks