Perfection

Guestbook

Il semble que la perfection soit atteinte non quand il n’y a plus rien à ajouter, mais quand il n’y a plus rien à retrancher.

1
- Antoine de saint Exupery

It seems that perfection is attained not when there is nothing more to add, but when there is nothing more to remove.

Setup Docker Private Registry in Nexus Repository OSS 3.x.x

Guestbook

Make sure Nexus Repository has been setup with Self Signed certificate, certificate for host/server e.g. “silencer.bigpond”.

The following instructions have been successfully tested in Nexus version 3.2.0-01.

Create Docker Hub repository in Nexus

Docker Hub repository

Create Docker Internal repository in Nexus

Docker Internal repository

Create Docker Group repository in Nexus

Docker Group repository

Run Docker with Docker Native

Add Docker Private Registry in Insecure Registries

Docker Native Insecure registries

Now this approach supports docker pull and docker push.

Work around with “x509: certificate signed by unknown authority“ error by adding “–disable-content-trust” option on docker push command line if Docker doesn’t accept Self-Signed certificate.

Add Docker Private Registry server’s certificate into Docker Virtual Machine CA list

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
𝜆 keytool -printcert -rfc -sslserver silencer.bigpond:8444 > silencer.bigpond.pem
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIEAqo9kTANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJBVTEUMBIGA1UE
CBMLVW5zcGVjaWZpZWQxFDASBgNVBAcTC1Vuc3BlY2lmaWVkMREwDwYDVQQKEwhTb25hdHlwZTES
MBAGA1UEAwwJKi5iaWdwb25kMB4XDTE2MDYxMjExMzY1M1oXDTMwMDIxOTExMzY1M1owYDELMAkG
A1UEBhMCQVUxFDASBgNVBAgTC1Vuc3BlY2lmaWVkMRQwEgYDVQQHEwtVbnNwZWNpZmllZDERMA8G
A1UEChMIU29uYXR5cGUxEjAQBgNVBAMMCSouYmlncG9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJNO5mDpBDQQ8n4t0P2z8ChWzIFQ3Pf+5U8x6P17O3WtKTfsbuRYobHYmas5tVdV
dnLIqpb4JV9DWIoS+CNG6cRLy3GIWWT7CbjsrpDlOTArslvk3KuzQ0dsZNflRfdd+ughI2LczehE
fhzPJzA+ZU8Am1CadM+VUa+T6MilFQMXpWfjND6BNnV+qr/MX1QQfSjiWt7oWBex0BB0VPv9ooBZ
UqO+8jk5fUY8wEIa/kqLUqIKGxIUx9BMQBwBJwDKZmK93DXSPvAFYbKQjj6/nbV9R1VWmR7fhkLG
+Ixlx5ld2dxv4+xvXmS8s4NanBtKZWUfEYVPp7gUF9HZoW9A1jcCAwEAAaNSMFAwDAYDVR0TBAUw
AwEB/zAhBgNVHREEGjAYghBzaWxlbmNlci5iaWdwb25khwQKAAAJMB0GA1UdDgQWBBQV3WTuC+GI
8lHtH0uL+kYqTG+vczANBgkqhkiG9w0BAQsFAAOCAQEAUwL+qnKVT0ENZEZnDjB+cjPfvkeWOD05
PrGUOn4YB4vllq2S6Cgfm0OaZ+vMt3KMXPf9pIgZ797jdPhOP/s5IVJItldky+u/Hk9gNtUwEjpg
l0MjhSm/PqxR5XoJdkYlvUdtq+PTrU5RU3v3GImeOmlI4mM5PaZ6OT8HC5VMX5s9RawBr/5EbJHR
M7EN8r3g4Y/2109YoHoiWAhnN6TC3RhmCoQqGOiPsS732KHUz3KqXVbq9VTRdA3dXqFj1cUSet1T
XTPisaiehffvbqYm2vrJ5WYgqCwb8TadDg66TToj080qvA8cXAF7qlA8pOImrbVOs7tdANSAs+AO
cqCkiA==
-----END CERTIFICATE-----
1
𝜆 screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

Inside Docker Virtual Machine, follow these steps:

1
2
3
$ sudo cat silencer.bigpond.pem >> /etc/ssl/certs/ca-certificates.crt
$ sudo /etc/init.d/docker restart
$ tail -f /var/lib/boot2docker/docker.log

With Docker Toolbox

Add Docker Private Registry server’s certificate into Docker Virtual Machine CA list

1
2
𝜆 keytool -printcert -rfc -sslserver silencer.bigpond:8444 > silencer.bigpond.pem
𝜆 docker-machine ssh default

Inside Docker Virtual Machine, follow these steps:

1
2
3
$ sudo cat silencer.bigpond.pem >> /etc/ssl/certs/ca-certificates.crt
$ sudo /etc/init.d/docker restart
$ tail -f /var/lib/boot2docker/docker.log

Press Ctrl + D and Ctrl + D to exist SCREEN program. Type “screen -r” to re-entry SCREEN program.

Additional Certificates

Download 3rd party Repository server’s certificate. Use tool like KeyStore Explorer to add 3rd party server certificates into existing keystore.jks. Due to a certificate chain that does not exist within the existing Java truststore, Java does not trust the certificate and fails to connect to the application.

Test

1
2
3
4
𝜆 docker login silencer.bigpond:18443
Username: admin
Password: admin123
Login Succeeded
1
2
𝜆 docker search silencer.bigpond:18443/tomcat
𝜆 docker pull silencer.bigpond:18443/jtech/tomcat:latest
1
2
3
4
𝜆 docker login silencer.bigpond:18444
Username: admin
Password: admin123
Login Succeeded
1
2
3
𝜆 docker build -t jtech/camel-spring:latest .
𝜆 docker tag jtech/camel-spring silencer.bigpond:18444/jtech/camel-spring:latest
𝜆 docker push silencer.bigpond:18444/jtech/camel-spring:latest
1
𝜆 docker push --disable-content-trust silencer.bigpond:18444/jtech/camel-spring:latest

Note

  • Due to Docker Virtual Machine is immutable, the CA certificate added change made inside VM is ephemeral, and lost after VM is restarted
  • Docker Private Registry ONLY supports HTTPS, NOT HTTP
  • Nexus repository MUST register and use server certificate for host e.g. “silencer.bigpond”, NOT “localhost.bigpond” to run Docker Private Registry
  • Try with “–disable-content-trust” if error like “Get https://silencer.gateway:18444/v1/_ping: x509: certificate signed by unknown authority”

Reference

Setup HTTPS access in Nexus Repository Manager OSS 3.x.x

Guestbook

Generate Self Signed certificate

On a Mac at home, with Bigpond internet access. Full host name is silencer.bigpond and IP Address is 10.0.0.9.

1
2
terrence@Silencer /Applications/nexus-3.0.0-03/etc/ssl
00:13:05 𝜆 keytool -genkeypair -keystore keystore.jks -storepass changeit -keypass changeit -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=*.bigpond, O=Sonatype, L=Unspecified, ST=Unspecified, C=AU" -ext "SAN=DNS:silencer.bigpond,IP:10.0.0.9" -ext "BC=ca:true"

OR run “nslookup 127.0.0.1” return full domain hostname e.g. “localhost.bigpond”.

1
2
terrence@Silencer /Applications/nexus-3.0.0-03/etc/ssl
00:13:05 𝜆 keytool -genkeypair -keystore keystore.jks -storepass changeit -keypass changeit -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=*.bigpond, O=Sonatype, L=Unspecified, ST=Unspecified, C=AU" -ext "SAN=DNS:localhost.bigpond,IP:127.0.0.1" -ext "BC=ca:true"

Now, with latest Nexus (version 3.2.0-01) you can use self-signed server certificate without specifying IP address.

1
2
terrence@Silencer /usr/local/nexus-3.2.0-01/etc/ssl
00:13:05 𝜆 keytool -genkeypair -keystore keystore.jks -storepass changeit -keypass changeit -alias jetty -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=*.gateway, O=Sonatype, L=Unspecified, ST=Unspecified, C=AU" -ext "SAN=DNS:silencer.gateway" -ext "BC=ca:true"

Enable HTTPS access

Change jetty-https.xml file:

1
2
3
4
5
6
7
8
9
10
11
12
terrence@Silencer /Applications/nexus-3.0.0-03/etc
00:18:59 𝜆 diff jetty-https.xml jetty-https.xml.orig
25,26c25,26
<     <Set name="KeyStorePassword">changeit</Set>
<     <Set name="KeyManagerPassword">changeit</Set>
---
>     <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
>     <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
28c28
<     <Set name="TrustStorePassword">changeit</Set>
---
>     <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>

Add SSL port and include jetty-https.xml in file:

1
2
3
4
5
6
7
8
terrence@Silencer /Applications/nexus-3.0.0-03/etc
00:19:06 𝜆 diff org.sonatype.nexus.cfg org.sonatype.nexus.cfg.orig
3d2
< application-port-ssl=8444
5c4
< nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-https.xml,${karaf.etc}/jetty-http-redirect-to-https.xml,${karaf.etc}/jetty-requestlog.xml
---
> nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-requestlog.xml

Retrieve server’s certificate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
𝜆 keytool -printcert -rfc -sslserver silencer.bigpond:8444 > silencer.bigpond.pem
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIEAqo9kTANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJBVTEUMBIGA1UE
CBMLVW5zcGVjaWZpZWQxFDASBgNVBAcTC1Vuc3BlY2lmaWVkMREwDwYDVQQKEwhTb25hdHlwZTES
MBAGA1UEAwwJKi5iaWdwb25kMB4XDTE2MDYxMjExMzY1M1oXDTMwMDIxOTExMzY1M1owYDELMAkG
A1UEBhMCQVUxFDASBgNVBAgTC1Vuc3BlY2lmaWVkMRQwEgYDVQQHEwtVbnNwZWNpZmllZDERMA8G
A1UEChMIU29uYXR5cGUxEjAQBgNVBAMMCSouYmlncG9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJNO5mDpBDQQ8n4t0P2z8ChWzIFQ3Pf+5U8x6P17O3WtKTfsbuRYobHYmas5tVdV
dnLIqpb4JV9DWIoS+CNG6cRLy3GIWWT7CbjsrpDlOTArslvk3KuzQ0dsZNflRfdd+ughI2LczehE
fhzPJzA+ZU8Am1CadM+VUa+T6MilFQMXpWfjND6BNnV+qr/MX1QQfSjiWt7oWBex0BB0VPv9ooBZ
UqO+8jk5fUY8wEIa/kqLUqIKGxIUx9BMQBwBJwDKZmK93DXSPvAFYbKQjj6/nbV9R1VWmR7fhkLG
+Ixlx5ld2dxv4+xvXmS8s4NanBtKZWUfEYVPp7gUF9HZoW9A1jcCAwEAAaNSMFAwDAYDVR0TBAUw
AwEB/zAhBgNVHREEGjAYghBzaWxlbmNlci5iaWdwb25khwQKAAAJMB0GA1UdDgQWBBQV3WTuC+GI
8lHtH0uL+kYqTG+vczANBgkqhkiG9w0BAQsFAAOCAQEAUwL+qnKVT0ENZEZnDjB+cjPfvkeWOD05
PrGUOn4YB4vllq2S6Cgfm0OaZ+vMt3KMXPf9pIgZ797jdPhOP/s5IVJItldky+u/Hk9gNtUwEjpg
l0MjhSm/PqxR5XoJdkYlvUdtq+PTrU5RU3v3GImeOmlI4mM5PaZ6OT8HC5VMX5s9RawBr/5EbJHR
M7EN8r3g4Y/2109YoHoiWAhnN6TC3RhmCoQqGOiPsS732KHUz3KqXVbq9VTRdA3dXqFj1cUSet1T
XTPisaiehffvbqYm2vrJ5WYgqCwb8TadDg66TToj080qvA8cXAF7qlA8pOImrbVOs7tdANSAs+AO
cqCkiA==
-----END CERTIFICATE-----

To get another Source Code Repository server’s certificate

1
𝜆 keytool -printcert -rfc -sslserver bitbucket.cd.paradise.org:443 > bitbucket.cd.paradise.org.pem

Test

Restart Nexus and access: https://localhost:8444

Note

  • Use utility tool “KeyStore Explorer” add additional CA certificates into keystore.jks file, especially when Gradle / Maven output error like:
1
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target