nexus-public icon indicating copy to clipboard operation
nexus-public copied to clipboard

Published 20 hours ago verified publisher icon sonatype

Connection refused to external repos

Open haraldk123 opened this issue 1 year ago • 5 comments

What problem are you trying to solve?

Our developers complain, that they often cannot download new packages from a proxy repository (mostly Maven and NPM). A 404 not found is shown.

While analyzing it, I'm facing a connection problem to the external repos. As it seems, all my proxy repos have problems (Maven, NPM, Nuget). The connection problem is not persistent - sometimes it can connect, the next minute (or second) not.

I will explain my problem for Maven:

  • I can always connect to https://repo1.maven.org from the server -- For testing, I tried a loop with openssl and with a java program that runs with the java that nexus is started with.
  • To test the connection from the Nexus OSS I try to connect with the "View certificate" button - here the struggle begins -- Sometimes a error is thrown: Could not retrieve an SSL certificate from 'repo1.maven.org:443' -- Sometimes the certificate is shown

What I see when the certificate shows up:

  • I see the connection in our firewall to repo1.maven.org (199.232.16.209)
  • nexus.log 2023-11-09 10:55:07,920+0100 INFO [qtp1527975045-1539] username org.sonatype.nexus.ssl.CertificateRetriever - Retrieving certificate from https://repo1.maven.org:443
  • Local Linux Firewall Nov 9 10:55:07 servername kernel: OUTPUT IN= OUT=ens192 SRC=192.168.X.X DST=199.232.16.209 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37642 DF PROTO=TCP SPT=53222 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

What I see when the certificate does NOT show up (with the error from above):

  • There is no connection in our firewall
  • nexus.log 2023-11-09 10:55:25,903+0100 INFO [qtp1527975045-1454] username org.sonatype.nexus.ssl.CertificateRetriever - Retrieving certificate from https://repo1.maven.org:443 2023-11-09 10:55:25,906+0100 WARN [qtp1527975045-1454] username org.sonatype.nexus.ssl.CertificateRetriever - Connect to repo1.maven.org:443 [repo1.maven.org/0.0.0.0] failed: Verbindungsaufbau abgelehnt (Connection refused) 2023-11-09 10:55:25,907+0100 ERROR [qtp1527975045-1454] username org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: ssl_Certificate.retrieveFromHost, java-method: com.sonatype.nexus.ssl.plugin.internal.ui.CertificateComponent.retrieveFromHost java.io.IOException: Could not retrieve an SSL certificate from 'repo1.maven.org:443'
  • Local Linux Firewall Nov 9 10:55:25 servername kernel: OUTPUT IN= OUT=lo SRC=192.168.X.X DST=192.168.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37217 DF PROTO=TCP SPT=49096 DPT=443 WINDOW=65495 RES=0x00 SYN URGP=0

-- As you can see, at 10:55:07 the connection worked and 18 seconds later it did not. -- I also cannot explain the log entry repo1.maven.org/0.0.0.0 - is Nexus not able to resolve repo1.maven.org correctly? -- The local linux firewall shows me, that the server opens a connection to itself on 443/tcp and not to repo1.maven.org

At this point I'm stuck what is going on. I believe, all the environment outside Nexus is correctly working. Any help or tip is appreciated.

Do you have a workaround you are using at present?

No

What feature or behavior is this required for?

--

How could we solve this issue? (Not knowing is okay!)

--

Tell us about your Nexus Repository deployment: what version, operating system, and database are you using?

version 3.62.0-01 edition OSS buildRevision c74435692fb4be328a3928a61f56bb711896fa02 buildTimestamp 2023-10-28-0055-11124

java.runtime.name OpenJDK Runtime Environment java.runtime.version 1.8.0_392-b08 java.specification.maintenance.version 5

RHEL 9.3, all available updates installed

Anything else?

--

haraldk123 avatar Nov 09 '23 10:11 haraldk123

@haraldk123 What is your DNS on the server reporting for that hostname?

I have https://gist.github.com/cstamas/7af8f85559aabc33babe8b7d8a9732b7

Also, did you try changing hostname, to something like https://repo.maven.apache.org/ or alike?

cstamas avatar Nov 09 '23 13:11 cstamas

@cstamas DNS looks good, "dig repo1.maven.org" shows this:

;; QUESTION SECTION: ;repo1.maven.org. IN A

;; ANSWER SECTION: repo1.maven.org. 15393 IN CNAME dualstack.sonatype.map.fastly.net. dualstack.sonatype.map.fastly.net. 1 IN A 199.232.16.209

Yes, I tried https://repo.maven.apache.org/ and I'm facing the same problem with the NPM Repo registry.npmjs.org: org.sonatype.nexus.ssl.CertificateRetriever - Connect to registry.npmjs.org:443 [registry.npmjs.org/0.0.0.0] failed: Verbindungsaufbau abgelehnt (Connection refused)

haraldk123 avatar Nov 09 '23 13:11 haraldk123

Hi @haraldk123 - by chance are you trying to run on RHEL with FIPS mode enabled? There is a known issue that prevents Nexus Repository from operating on a FIPS mode enabled RHEL instance.

nblair avatar Nov 09 '23 15:11 nblair

@nblair The server is not in FIPS mode:

fips-mode-setup --check Installation of FIPS modules is not completed. FIPS mode is disabled.

sysctl crypto.fips_enabled crypto.fips_enabled = 0

Sadly I cannot exactly tell, when the problems started. The server and nexus is running for years now, the last change was a LEAPP migration from RHEL7 to RHEL8 and then to RHEL9 and the Nexus OSS updates.

Maybe I need to reinstall and start from scratch...

haraldk123 avatar Nov 09 '23 15:11 haraldk123

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Jan 23 '24 01:01 github-actions[bot]

This issue was closed because it has been inactive for 90 days since being marked as stale.

github-actions[bot] avatar Apr 23 '24 01:04 github-actions[bot]