Maven 3.0.5 refuses our updated nexus certificate

155 views Asked by At

When running maven 3.0.5 our (newly swapped, apache proxy hosted) https certificate for Nexus is rejected with error:

hostname in certificate didn't match: <new.domain.com> != <*.old.domain.com> OR ..

This does not happen with earlier maven version (e.g. 3.0.3) and I noticed that the fix for 3.0.5 seem to match my problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0253

I've reviewed the certificate via Chrome etc and it seems fine. Running maven in debug (-X) doesn't give me much more information.

(I know it's boarder-lining to an Apache/Nexus question). Also - this is a wildcard SSL certificate used by several other services, also proxied by the same Apache instance.

Any ideas?

1

There are 1 answers

0
John Fear On

Ok. Problem solved.

After reading up on Apache HTTPS and virtual hosts along with a crash course in HTTP proxies I got it.

Simply put: Apache cannot support multiple virtual hosts with different SSL certificates. This is because the Host-header used to proxy request is encrypted so we're in a hen-or-the-egg-situation.

We had Apache our configured like this as we wanted to re-directs from our old domain to the new one. In this situation Apache simply uses the certificate set up for the first virtual host: https://wiki.apache.org/httpd/NameBasedSSLVHosts

So why did Chrome get the correct certificate? Well - it appears that Chrome (and Apache) support an TLS extension which sends the host-name un-encrypted in the Client Hello (eg the 1st SSL message). Hence Apache knows which virtual host (eg Certificate) to send back.

Problem solved.

We will now set up our new domains virtual hosts 1st and our old re-directs last. This will enabled clients with the TLS extension to work 100% meanwhile it will enable the other clients to work for our new domain.