Using Sonatype Nexus Repository Manager with HTTPS for Docker Private Registry

The Nexus repository is usually used in two situations in the companies that adopt it.

– By companies that use a service to store libraries that are generated by their continuous integration. These artifacts can be dependencies of backend, frontend or containers.

– By companies that have firewalls on their network, using nexus as a proxy service, forcing all project dependencies to be downloaded through this service, thus having better control over the Internet.

In this article, we will discuss how to proceed with the configuration of nexus repository with HTTPS certificate so that it is possible to publish Dockers containers and later download these images to the servers that will execute them.

The HTTPS certificate is very important to the Docker CLI. If you try to log in from your CLI on hosting service containers that don’t run through HTTPS, you must make settings for all clients, so they can trust a service that is in fact unreliable.

One big question that involves HTTPS certificates is their annual cost. Fortunately, today it is possible to use the Let’s Encrypt service and obtain valid HTTPS certificates for a period of 90 days, however, it’s necessary to renew them at the end of this time.

So, in this tutorial, we’ll cover Nexus service setup from scratch:

  1. Java installation;
  2. Download, installation and configuration of Nexus;
  3. Installing Apache for proxy;
  4. Installation and configuration of HTTPS certificates using Let’s Encrypt;
  5. Nexus configuration to use HTTPS certificates;
  • Install OpenJDK 8
  • ubuntu@server:/$ sudo apt-get install openjdk-8-jdk
    
    ubuntu@server:/$ java -version
    openjdk version "1.8.0_181"
    OpenJDK Runtime Environment (build 1.8.0_181-8u181-b13-0ubuntu0.18.04.1-b13)
    OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
    
  • Add a new user for nexus service
  • ubuntu@server:/$ sudo adduser --no-create-home --disabled-login --disabled-password nexus
    
  • Download nexus repository from Sonatype
  • ubuntu@server:/$ cd /tmp
    ubuntu@server:/$ wget https://sonatype-download.global.ssl.fastly.net/repository/repositoryManager/3/nexus-3.13.0-01-unix.tar.gz
    
  • Unpack nexus
  • ubuntu@server:/$ tar -xvzf nexus-repository-v3.tar.gz
    
  • Moving Nexus and Sonatype configuration to /opt directory
  • ubuntu@server:/$ sudo mv nexus-3.13.0-01 /opt/
    ubuntu@server:/$ sudo mv sonatype-work/ /opt/
    
  • Change user owner and permissions to nexus (user and group)
  • ubuntu@server:/$ sudo chown nexus:nexus /opt/nexus-3.13.0-01/ -R
    ubuntu@server:/$ sudo chown nexus:nexus /opt/sonatype-work/ -R
    
  • Changing the user that running the service
  • ubuntu@server:/$ sudo vim /opt/nexus-3.13.0-01/bin/nexus
    run_as_user='nexus'
    
  • Changing the permissions
  • ubuntu@server:/$ sudo chmod a+x /opt/nexus-3.13.0-01/bin/nexus
    
  • Install Apache2
  • ubuntu@server:/$ sudo apt-get install apache2
    
  • Install certbot to generate HTTPS certificates
  • ubuntu@server:/$ sudo apt-get install software-properties-common
    ubuntu@server:/$ sudo add-apt-repository ppa:certbot/certbot
    ubuntu@server:/$ sudo apt-get update
    ubuntu@server:/$ sudo apt-get install python-certbot-apache
    
  • Add proxy modules at Apache2
  • ubuntu@server:/$ a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html
    ubuntu@server:/$ systemctl restart apache2
    
  • Configure your domain to your nexus repository at Apapche2
  • ubuntu@server:/$ sudo vim /etc/apache2/sites-available/[YOUR-HOST].conf
    <VirtualHost *:80>
        ServerName [YOUR-HOST]
        ServerAlias [YOUR-HOST]
        ServerAdmin [YOUR-HOST]
        ErrorLog ${APACHE_LOG_DIR}/[YOUR-HOST]-error.log
        CustomLog ${APACHE_LOG_DIR}/[YOUR-HOST]-access.log combined
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://[YOUR-HOST]:8081/
        ProxyPassReverse / http://[YOUR-HOST]:8081/
    </VirtualHost>
    
  • Add your domain configuration into your Apache2
  • ubuntu@server:/$ sudo a2ensite [YOUR-HOST]
    
  • Get your free HTTPS certificate to your host from Let’s Encrypt
  • ubuntu@server:/$ sudo certbot --apache
    
  • Get your *.JKS certificate from your Let’s Encrypt keys, and save the password at ‘openssl’ step
  • ubuntu@server:/$ sudo su
    root@server:/$ cd /etc/letsencrypt/live/[YOUR-HOST]/
    root@server:/$ openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
    root@server:/$ keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
    
  • Move your .JKS generated to your Nexus directory
  • ubuntu@server:/$ cp keystore.jks /opt/nexus-3.13.0-01/etc/ssl/
    
  • Generating your encrypted password for configuration, and use the same password that you inform when you get your .JKS file
  • ubuntu@server:/$ java -cp /opt/nexus-3.13.0-01/system/org/eclipse/jetty/jetty-util/9.4.11.v20180605/jetty-util-9.4.11.v20180605.jar org.eclipse.jetty.util.security.Password [YOUR-PASSWORD]
    
  • Add your password into your https nexus configuration.
  • ubuntu@server:/$ sudo vim /opt/nexus-3.13.0-01/etc/jetty/jetty-https.xml
    
    <Set name="KeyStorePath">/opt/nexus-3.13.0-01/etc/ssl/keystore.jks</Set>
    <Set name="KeyStorePassword">[YOUR-CRYPT-PASSWORD]</Set>
    <Set name="KeyManagerPassword">[YOUR-CRYPT-PASSWORD]</Set>
    <Set name="TrustStorePath">/opt/nexus-3.13.0-01/etc/ssl/keystore.jks</Set>
    <Set name="TrustStorePassword">[YOUR-CRYPT-PASSWORD]</Set>
    
  • Configure your SSL port
  • ubuntu@server:/$ sudo vim /opt/nexus-3.13.0-01/etc/nexus-default.properties
    
    application-port-ssl=8443
    
  • Add HTTPS support into your nexus-default configuration.
  • ubuntu@server:/$ sudo vim /opt/nexus-3.13.0-01/etc/nexus-default.properties
    
    nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
    

    After this steps, we can configure the Docker repository on the Nexus through its web interface. After identifying yourself as an admin user, inside “Configuration” option, select “Repositories” option in the side menu and “Create repository”.

  • First, we will add a “docker proxy” repository. Fill the form with this informations:
  • Name: docker-hub
    Remote storage: https://[YOUR-HOST]/repository/docker-hub/
    Docker Index: Use Docker Hub

  • Second, we will add a “docker hosted” repository. Fill the form with this informations:
  • Name: docker-hosted
    HTTPS: 18444

  • Third, we will add a “docker group” repository. Fill the form with this informations:
  • Name: docker-group
    HTTPS: 18433
    Enable Docker V1 API: Allow clients to use the V1 API with this repository.
    Member repositories: Add docker-group and docker-hub to members of this group.

    At this point, you can make any deploy of a docker container to your Nexus repository. To download a container from your repository on a Linux server using Ubuntu, you must follow these steps:

  • Remove old packages
  • ubuntu@server:/$ sudo apt-get remove docker docker-engine docker.io
    
  • Install this packages
  • ubuntu@server:/$ sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
    
  • Download Docker GPG public keys
  • ubuntu@server:/$ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
    
  • Add docker stable repository
  • ubuntu@server:/$ sudo add-apt-repository \
       "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
       $(lsb_release -cs) \
       stable"
    
  • Install Docker CE
  • ubuntu@server:/$ sudo apt-get update
    ubuntu@server:/$ sudo apt-get install docker-ce
    
  • Docker login at your Nexus Repo
  • ubuntu@server:/$ sudo docker login https://[YOUR-HOST]:18444/repository/docker-hosted
    

    Enjoy!

    Share

    You may also like...

    Leave a Reply

    Your email address will not be published. Required fields are marked *