解决nexus3登录x509: certificate has expired or is not yet valid

笔者前面的博文使用nexus3作为Docker镜像仓库介绍了如何使用nexus3来作为容器的镜像仓库,在生成证书时,使用了有效期限。如果证书过期了,使用podman或者docker登录,则会提示类似如下的信息:

x509: certificate has expired or is not yet valid: current time 2023-09-12T09:47:03+08:00 is after XXXX-XX-XXTXX:XX:XXX

那如果证书过期了该如何处理呢?

一、重新生成证书,并更新系统的证书

可以将下列脚本保存为文件,修改为自己的IP,并执行:

# 所有操作在子目录中完成
mkdir -p output
cd output
MYIP=192.168.1.8
# 创建辅助文件
echo subjectAltName=IP:${MYIP} > extfile.cnf
# 生成ca证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt
# 如果不想交互输入证书的国家,城市,公司名等等信息,可以在上面的命令加上参数:-subj "/CN=*"
# 生成server证书
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=${MYIP}" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile exefile.cnf -out server.crt -days 365
# 将证书导出成pkcs格式
# 这里需要输入密码  输入“password”,如果不用这个,需要修改镜像里的${jetty.etc}/jetty-https.xml对应的password
openssl pkcs12 -export -out keystore.pkcs12 -inkey server.key -in server.crt
# 复制需要的文件到上层目录
cp -n keystore.pkcs12 ..
cp -n ca.crt ../nexus3.crt
# 复制ca.crt到系统
sudo cp -n ca.crt /usr/local/share/ca-certificates/nexus3.crt
# 更新证书
sudo update-ca-certificates
cd ..
rm output -rf

二、复制证书到容器

然后将keystore.pkcs12复制到现有的nexus3容器中:

sudo podman cp keystore.pkcs12 nexus3:/

三、进入容器更新证书

使用root用户登录进入nexus3容器:

sudo podman exec -it --user root nexus3 /bin/bash

nexus3容器中执行下面的命令

keytool -v -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -storepass password -srcstorepass password && cp -n keystore.jks /opt/sonatype/nexus/etc/ssl/

如果报下面的错误:

keytool error: java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:819)
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2027)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2054)
        at sun.security.tools.keytool.Main.doCommands(Main.java:1073)
        at sun.security.tools.keytool.Main.run(Main.java:370)
        at sun.security.tools.keytool.Main.main(Main.java:363)
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:285)
        at sun.security.util.DerInputStream.getOID(DerInputStream.java:320)
        at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
        at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
        at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:815)

可以更新一下系统:

yum update

再执行命令:

keytool -v -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -storepass password -srcstorepass password && cp -n keystore.jks /opt/sonatype/nexus/etc/ssl/

四、重启容器

sudo podman restart nexus3

五、测试连接

$ sudo podman login 192.168.1.18:5051
Authenticating with existing credentials for 192.168.1.18:5051
Existing credentials are invalid, please enter valid username and password
Username (podman): 
Password: 
Login Succeeded!

六、Windows使用

将前面的nexus3.crt证书文件复制到Windows,然后右键选择“安装证书”:

解决nexus3登录x509: certificate has expired or is not yet valid_第1张图片

解决nexus3登录x509: certificate has expired or is not yet valid_第2张图片

解决nexus3登录x509: certificate has expired or is not yet valid_第3张图片
解决nexus3登录x509: certificate has expired or is not yet valid_第4张图片

七、Linux系统使用

将前面的nexus3.crt证书文件复制到Linux的/usr/local/share/ca-certificates/目录下,然后更新证书:

sudo update-ca-certificates

你可能感兴趣的:(容器,Linux,x509,certificate,has,expired,or,is,not,yet,valid,nexus,podman)