Skip to content
This repository was archived by the owner on Mar 14, 2023. It is now read-only.

Commit 3b210f8

Browse files
author
Bernhard Grünewaldt
committed
cert creation outside
1 parent 6c7b0d0 commit 3b210f8

File tree

3 files changed

+52
-30
lines changed

3 files changed

+52
-30
lines changed

README.md

Lines changed: 49 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,40 @@ mkdir /opt/nexus-oss-home
3838
chown 10777:10777 /opt/nexus-oss-home
3939
```
4040

41+
**(3) Generate a self signed SSL Certificate for Nexus**
42+
43+
```
44+
NEXUS_DOMAIN="nexus.home.codeclou.io"
45+
NEXUS_IP_ADDRESS="192.168.178.66"
46+
47+
keytool -genkeypair -keystore keystore.jks \
48+
-storepass password \
49+
-keypass password \
50+
-alias jetty \
51+
-keyalg RSA \
52+
-keysize 2048 \
53+
-validity 5000 \
54+
-dname "CN=${NEXUS_DOMAIN}, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" \
55+
-ext "SAN=DNS:${NEXUS_DOMAIN},IP:${NEXUS_IP_ADDRESS}" \
56+
-ext "BC=ca:true"
57+
```
58+
59+
Now you should have a file called `keystore.jks`
60+
We need to convert it to BASE64 encoding so that we can inject it as ENV var into the docker container
61+
62+
```
63+
openssl base64 -in keystore.jks -out keystore.jks.base64
64+
```
65+
66+
**(4) Trust the certificate on all clients**
67+
68+
```
69+
keytool -list -rfc -keystore keystore.jks -storepass password
70+
```
71+
72+
Displays the certificate. Copy paste it to your clients and trust the certs.
73+
[See Docker Docs on SSL Trusting](https://docs.docker.com/registry/insecure/#docker-still-complains-about-the-certificate-when-using-authentication)
74+
4175
-----
4276

4377
 
@@ -47,34 +81,25 @@ chown 10777:10777 /opt/nexus-oss-home
4781
**(1) Create Nexus OSS Instance**
4882

4983
```bash
84+
NEXUS_DOMAIN="nexus.home.codeclou.io"
85+
NEXUS_IP_ADDRESS="192.168.178.66"
86+
NEXUS_KEYSTORE_JKS_BASE64=$(cat keystore.jks.base64)
87+
5088
docker create \
5189
--name nexus \
5290
-p 8443:8443 \
91+
-p 8444:8444 \
92+
-p 8445:8445 \
5393
-v /opt/nexus-oss-home:/nexus-home \
5494
-e NEXUS_DOMAIN="nexus.home.codeclou.io" \
5595
-e NEXUS_IP_ADDRESS="192.168.178.66" \
96+
-e NEXUS_KEYSTORE_JKS_BASE64=$NEXUS_KEYSTORE_JKS_BASE64 \
5697
codeclou/docker-sonatype-nexus-repository-oss:3.5.0-02
5798

5899
docker start nexus
59100
```
60101

61-
Now it will print out the created self signed certificate which you will have to trust on all clients.
62102

63-
```
64-
DOCKER ENTRYPOINT >> =================================
65-
DOCKER ENTRYPOINT >>
66-
DOCKER ENTRYPOINT >> PLEASE TRUST THIS CERTIFICATE WHERE DOCKER RUNS AND ON CLIENT MACHINES
67-
68-
-----BEGIN CERTIFICATE-----
69-
MIID3DCCAsSgAwIBAgIEUMxHVjANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
70-
...
71-
DlK8j8uOTohm/VxF3yd0CEWBOATh2iOHB2xL5LDphrQ=
72-
-----END CERTIFICATE-----
73-
74-
DOCKER ENTRYPOINT >>
75-
DOCKER ENTRYPOINT >> =================================
76-
DOCKER ENTRYPOINT >> you have 20sec to copy the cert and then nexus will start
77-
```
78103

79104
 
80105

@@ -84,6 +109,14 @@ Now go to **[https://nexus.home.codeclou.io:8443/](https://nexus.home.codeclou.i
84109

85110
Configure the Instance to your liking.
86111

112+
 
113+
114+
115+
**(3) Docker Registry**
116+
117+
The ports `8444` and `8445` can be used for docker registry Endpoints.
118+
119+
![](./doc/nexus-docker-registry-port.png)
87120

88121
-----
89122

doc/nexus-docker-registry-port.png

399 KB
Loading

docker-entrypoint.sh

Lines changed: 3 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -21,26 +21,15 @@ echo "application-port-ssl=8443" >> /nexus/nexus-latest/etc/nexus-default.proper
2121
#
2222
# SSL (see doc: https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon)
2323
#
24-
keytool -genkeypair -keystore keystore.jks \
25-
-storepass password \
26-
-keypass password \
27-
-alias jetty \
28-
-keyalg RSA \
29-
-keysize 2048 \
30-
-validity 5000 \
31-
-dname "CN=${NEXUS_DOMAIN}, OU=Example, O=Sonatype, L=Unspecified, ST=Unspecified, C=US" \
32-
-ext "SAN=DNS:${NEXUS_DOMAIN},IP:${NEXUS_IP_ADDRESS}" \
33-
-ext "BC=ca:true"
34-
mv keystore.jks /nexus/nexus-latest/etc/ssl/
24+
echo $NEXUS_KEYSTORE_JKS_BASE64 | base64 --decode > /nexus/nexus-latest/etc/ssl/keystore.jks
25+
keytool -list -rfc -keystore keystore.jks -storepass password
3526

3627
echo "DOCKER ENTRYPOINT >> ================================="
3728
echo "DOCKER ENTRYPOINT >> "
38-
echo "DOCKER ENTRYPOINT >> PLEASE TRUST THIS CERTIFICATE WHERE DOCKER RUNS AND ON CLIENT MACHINES"
29+
echo "DOCKER ENTRYPOINT >> LIST CERTIFICATE - IF THERE ARE NO ERRORS ALL IS FINE"
3930
keytool -list -rfc -keystore /nexus/nexus-latest/etc/ssl/keystore.jks -storepass password
4031
echo "DOCKER ENTRYPOINT >> "
4132
echo "DOCKER ENTRYPOINT >> ================================="
42-
echo "DOCKER ENTRYPOINT >> you have 20sec to copy the cert and then nexus will start"
43-
sleep 20
4433

4534

4635

0 commit comments

Comments
 (0)