Skip to content

Commit

Permalink
(#160) Removes Duplicate Nexus Cert Functionality
Browse files Browse the repository at this point in the history
Ensures that both the Set-SSLSecurity and Set-NexusCert are calling the same functionality, with only one copy to maintain.
  • Loading branch information
JPRuskin committed May 28, 2024
1 parent 0a73ca0 commit 28ca1d9
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 61 deletions.
8 changes: 4 additions & 4 deletions Set-SslSecurity.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,13 @@ process {
}
}

# Put certificate in TrustedPeople
Copy-CertToStore -Certificate $Certificate

<# Nexus #>
# Stop Services/Processes/Websites required
Stop-Service nexus

# Put certificate in TrustedPeople
Copy-CertToStore -Certificate $Certificate

# Generate Nexus keystore
$null = New-NexusCert -Thumbprint $Certificate.Thumbprint

Expand Down Expand Up @@ -153,7 +153,7 @@ process {
(Get-Content -Path $ClientScript) -replace "{{hostname}}", $SubjectWithoutCn | Set-Content -Path $ClientScript
New-NexusRawComponent -RepositoryName 'choco-install' -File $ClientScript

if ($Hardened) {
if ($Hardened) {
# Disable anonymous authentication
Set-NexusAnonymousAuth -Disabled

Expand Down
17 changes: 13 additions & 4 deletions scripts/Get-Helpers.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -1634,11 +1634,15 @@ function Get-RemoteCertificate {
}
}

function New-NexusCert {
function Set-NexusCert {
[CmdletBinding()]
param(
[Parameter()]
$Thumbprint
# The thumbprint of the certificate to configure Nexus to use, from the LocalMachine\TrustedPeople store.
[Parameter(Mandatory)]
$Thumbprint,

# The port to set Nexus to use for https.
$Port = 8443
)

if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) {
Expand Down Expand Up @@ -1673,13 +1677,18 @@ function New-NexusCert {
$nexusPath = 'C:\ProgramData\sonatype-work\nexus3'
$configPath = "$nexusPath\etc\nexus.properties"

$configStrings = @('jetty.https.stsMaxAge=-1', 'application-port-ssl=8443', 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml')
(Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath

$configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$Port", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml')
$configStrings | ForEach-Object {
if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) {
$_ | Add-Content -Path $configPath
}
}

if ((Get-Service Nexus).Status -eq 'Running') {
Restart-Service Nexus
}
}

function Test-SelfSignedCertificate {
Expand Down
62 changes: 9 additions & 53 deletions scripts/Set-NexusCert.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -20,66 +20,22 @@ param(
[Parameter(Mandatory)]
[string]
$Thumbprint,
[string]$Thumbprint,

[Parameter()]
[string]
$NexusPort = '8443'
[uint16]$Port = 8443
)

begin {
if($host.name -ne 'ConsoleHost') {
Write-Warning "This script cannot be ran from within PowerShell ISE"
Write-Warning "Please launch powershell.exe as an administrator, and run this script again"
break
}
if ($host.name -ne 'ConsoleHost') {
Write-Warning "This script cannot be ran from within PowerShell ISE"
Write-Warning "Please launch powershell.exe as an administrator, and run this script again"
break
}

process {

$ErrorActionPreference = 'Stop'

if ((Test-Path C:\ProgramData\nexus\etc\ssl\keystore.jks)) {
Remove-Item C:\ProgramData\nexus\etc\ssl\keystore.jks -Force
}

$KeyTool = "C:\ProgramData\nexus\jre\bin\keytool.exe"
$password = "chocolatey" | ConvertTo-SecureString -AsPlainText -Force
$certificate = Get-ChildItem Cert:\LocalMachine\TrustedPeople\ | Where-Object { $_.Thumbprint -eq $Thumbprint } | Sort-Object | Select-Object -First 1

Write-Host "Exporting .pfx file to C:\, will remove when finished" -ForegroundColor Green
$certificate | Export-PfxCertificate -FilePath C:\cert.pfx -Password $password
Get-ChildItem -Path c:\cert.pfx | Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Exportable -Password $password
Write-Warning -Message "You'll now see prompts and other outputs, things are working as expected, don't do anything"
$string = ("chocolatey" | & $KeyTool -list -v -keystore C:\cert.pfx) -match '^Alias.*'
$currentAlias = ($string -split ':')[1].Trim()

$passkey = '9hPRGDmfYE3bGyBZCer6AUsh4RTZXbkw'
& $KeyTool -importkeystore -srckeystore C:\cert.pfx -srcstoretype PKCS12 -srcstorepass chocolatey -destkeystore C:\ProgramData\nexus\etc\ssl\keystore.jks -deststoretype JKS -alias $currentAlias -destalias jetty -deststorepass $passkey
& $KeyTool -keypasswd -keystore C:\ProgramData\nexus\etc\ssl\keystore.jks -alias jetty -storepass $passkey -keypass chocolatey -new $passkey

$xmlPath = 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
[xml]$xml = Get-Content -Path 'C:\ProgramData\nexus\etc\jetty\jetty-https.xml'
foreach ($entry in $xml.Configure.New.Where{ $_.id -match 'ssl' }.Set.Where{ $_.name -match 'password' }) {
$entry.InnerText = $passkey
}

$xml.OuterXml | Set-Content -Path $xmlPath

Remove-Item C:\cert.pfx

$nexusPath = 'C:\ProgramData\sonatype-work\nexus3'
$configPath = "$nexusPath\etc\nexus.properties"

(Get-Content $configPath) | Where-Object {$_ -notmatch "application-port-ssl="} | Set-Content $configPath

$configStrings = @('jetty.https.stsMaxAge=-1', "application-port-ssl=$NexusPort", 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml')
$configStrings | ForEach-Object {
if ((Get-Content -Raw $configPath) -notmatch [regex]::Escape($_)) {
$_ | Add-Content -Path $configPath
}
}
. $PSScriptRoot\Get-Helpers.ps1

Restart-Service nexus
Set-NexusCert -Thumbprint $Thumbprint -Port $Port

Write-Host -BackgroundColor Black -ForegroundColor DarkGreen "The script has successfully run and the Nexus service is now rebooting for the changes to take effect."
}
Write-Host -BackgroundColor Black -ForegroundColor DarkGreen "The script has successfully run and the Nexus service is now rebooting for the changes to take effect."

0 comments on commit 28ca1d9

Please sign in to comment.