Accessing Git and Nexus with custom SSL certificates
Again and again I work for companies having self crafted certificate. In 2020 there is no excuse to not use a valid certificate. There is now Let’s encrypt free certificates https://certbot.eff.org/
Here are some solutions how to fix this for Git, Nexus, maven and Java
Git
Bad solution
Is to avoid SSL certificate checks all together (from a security standpoint this is very bad)
git config --global http.sslVerify false
Best option
Is to add the self-signed certificate to your certificate store, you need to obtain the server certificate tree using chrome or firefox.
- Navigate to be server address. Click on the padlock icon and view the certificates. Export all of the certificate chain as base64 encoded files (PEM) format.
- Add the certificates to the trust chain of your GIT trust config file In Git bash on the the machine running the job run the following:
git config --list
find the http.sslcainfo configuration this shows where the certificate trust file is located.
3. Copy all the certificates into the trust chain file including the "- -BEGIN- -" and the "- -END- -". Make sure you add the ROOT certificate Chain to the certificates file
Nexus
Bad option
You can also tell Apache Maven to accept the certificate even though it isn’t signed. invoke Maven MAVEN_OPTS with
-Dmaven.wagon.http.ssl.insecure=true
If the host name configured in the certificate doesn’t match the host name Nexus is running on you may also need to add in MAVEN_OPTS
-Dmaven.wagon.http.ssl.allowall=true
Best option
Install a real certificate in Nexus or Import the faulty certificate in your JDK cacert running
${JAVA_HOME}/bin/keytool -importcert -file waltercedric.pem -alias www.waltercedric.com -storepass changeit -keystore ${JAVA_HOME}/jre/lib/security/cacerts
