内网Nexus私有仓库HTTPS全栈实战从Docker部署到证书信任闭环当开发团队规模超过10人时私有制品仓库就成了刚需。上周帮某金融客户部署内网Nexus时发现Maven 3.8.1强制HTTPS的策略让很多工程师措手不及——内网没有公网域名Lets Encrypt证书无法签发而自签证书又面临浏览器和Java双重不信任的困境。本文将用一套经过生产验证的方案带你打通从Docker Compose部署到全栈证书信任的完整链路。1. 为什么内网HTTPS方案如此特殊公网环境申请SSL证书只需验证域名所有权但内网环境面临三个独特挑战IP证书的局限性主流CA机构不再签发纯IP证书Lets Encrypt明确要求域名验证信任链断裂自签证书不被操作系统和Java信任导致Chrome显示不安全连接Maven构建报PKIX path validation failed错误证书分发成本每台开发机、构建节点都需要手动信任证书实测发现仅配置Nginx的SSL还不够必须处理以下信任场景场景影响范围解决方案浏览器访问Nexus UI开发/运维人员安装CA证书到系统信任库Maven拉取依赖CI/CD流水线配置Java信任库Docker镜像推送/拉取容器化环境配置Docker守护进程信任2. 极简Docker Compose部署方案新建nexus-ssl目录作为项目根目录其结构应该是这样的nexus-ssl/ ├── docker-compose.yml ├── nginx/ │ ├── conf.d/ │ │ └── nexus.conf │ └── ssl/ ├── nexus-data/关键配置要点在docker-compose.ymlversion: 3.8 services: nexus: image: sonatype/nexus3:3.58.1 container_name: nexus restart: unless-stopped environment: - INSTALL4J_ADD_VM_PARAMS-Dnexus-args${NEXUS_CONTEXT} volumes: - ./nexus-data:/nexus-data networks: - nexus-net nginx: image: nginx:1.25-alpine ports: - 8443:8443 volumes: - ./nginx/conf.d:/etc/nginx/conf.d - ./nginx/ssl:/etc/nginx/ssl depends_on: - nexus networks: - nexus-net networks: nexus-net: driver: bridge这里有两个易错点需要特别注意数据卷权限首次启动前执行mkdir -p nexus-data chown -R 200:200 nexus-data否则会遇到容器启动失败日志显示Unable to access /nexus-data上下文路径如果希望通过https://ip:8443/repository访问而非https://ip:8443/nexus/repository需要设置环境变量export NEXUS_CONTEXTnexus-context/启动服务后用docker-compose logs -f nexus查看初始密码docker-compose up -d docker-compose exec nexus cat /nexus-data/admin.password3. 智能证书管理mkcert实战传统OpenSSL生成证书需要10步骤而mkcert通过自动化解决了三个核心痛点自动生成本地CA无需手动配置openssl.cnf一键信任自动安装CA到系统证书库IP证书支持直接为内网IP签发证书安装mkcertMac环境brew install mkcert为内网IP生成证书mkdir -p nginx/ssl cd nginx/ssl mkcert -install mkcert 192.168.1.100 ::1生成的证书会自动包含SAN扩展这是现代浏览器的强制要求。检查证书内容openssl x509 -in 192.168.1.1001.pem -text -noout关键输出应包含X509v3 Subject Alternative Name: IP Address:192.168.1.100, IP Address:0:0:0:0:0:0:0:14. Nginx反向代理的SSL配置艺术在nginx/conf.d/nexus.conf中配置server { listen 8443 ssl; server_name 192.168.1.100; ssl_certificate /etc/nginx/ssl/192.168.1.1001.pem; ssl_certificate_key /etc/nginx/ssl/192.168.1.1001-key.pem; # 禁用不安全的协议 ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; location / { proxy_pass http://nexus:8081; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; # 解决WebSocket连接问题 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; } }重启Nginx后测试配置docker-compose exec nginx nginx -t docker-compose restart nginx5. 全栈证书信任方案浏览器信任配置mkcert已自动完成90%的工作剩余步骤导出CA证书mkcert -CAROOT会显示类似/Users/xxx/Library/Application Support/mkcert的路径其中的rootCA.pem就是CA证书将rootCA.pem分发给团队成员各平台安装方式Windows双击证书 → 选择本地计算机 → 存入受信任的根证书颁发机构Mac钥匙串访问 → 系统 → 导入证书 → 始终信任Linuxsudo cp rootCA.pem /usr/local/share/ca-certificates/ sudo update-ca-certificatesJava信任链配置Maven依赖拉取失败的根本原因是Java有自己的证书库。找到JRE的cacerts位置# 对于JDK 11 java -XshowSettings:properties -version 21 | grep java.home然后导入CA证书keytool -importcert \ -alias nexus-ca \ -file $(mkcert -CAROOT)/rootCA.pem \ -keystore $JAVA_HOME/lib/security/cacerts \ -storepass changeit \ -noprompt特别注意如果使用Dockerized构建环境需要在构建镜像时执行此操作。例如在Jenkins Agent的Dockerfile中加入RUN apt-get update apt-get install -y libnss3-tools \ mkcert -install \ keytool -importcert ... # 同上6. Maven客户端的特殊配置即使服务器配置正确客户端仍需要额外处理settings.xml配置镜像mirror idnexus/id mirrorOf*/mirrorOf urlhttps://192.168.1.100:8443/repository/maven-public//url /mirror解决SNI问题旧版Java对IP地址的SNI支持不完善需在MAVEN_OPTS中添加export MAVEN_OPTS-Djsse.enableSNIExtensionfalse测试连接mvn help:effective-settings -DshowPasswordstrue7. 进阶证书的自动化分发对于50节点的环境手动安装证书不现实。推荐方案Ansible批量部署- name: Install CA cert ansible.builtin.copy: src: rootCA.pem dest: /usr/local/share/ca-certificates/nexus-ca.crt become: yes - name: Update certs ansible.builtin.command: update-ca-certificates become: yesPuppet配置管理file { /usr/local/share/ca-certificates/nexus-ca.crt: source puppet:///modules/nexus/rootCA.pem, notify Exec[update-ca-certificates], } exec { update-ca-certificates: command /usr/sbin/update-ca-certificates, refreshonly true, }Terraform云初始化resource aws_instance builder { user_data -EOF #!/bin/bash curl -o /tmp/rootCA.pem http://nexus/rootCA.pem cp /tmp/rootCA.pem /usr/local/share/ca-certificates/ update-ca-certificates EOF }8. 监控与维护证书管理不是一劳永逸的需要建立维护机制证书过期监控echo CA证书有效期 openssl x509 -in $(mkcert -CAROOT)/rootCA.pem -noout -dates echo 站点证书有效期 openssl x509 -in nginx/ssl/192.168.1.1001.pem -noout -dates自动续期方案# 提前30天检测 if openssl x509 -checkend 2592000 -noout -in cert.pem; then echo 证书即将过期执行续期... mkcert -cert-file cert.pem -key-file key.pem 192.168.1.100 ::1 docker-compose restart nginx fi证书吊销处理# 生成CRL证书吊销列表 openssl ca -config openssl.cnf -gencrl -out crl.pem # Nginx配置CRL检查 ssl_crl /path/to/crl.pem;