I have to add a custom root certificate to the Java trust store inside a docker environment. So I added the following command to my dockerfile:
RUN $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt
I get the following output when building the docker image:
Step 10/10 : RUN $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt
---> Running in cbc2a547797e
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /opt/java/openjdk/jre/lib/security/cacerts (No such file or directory)
The command '/bin/sh -c $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt' returned a non-zero code: 1
I'm baffled by the following facts:
Certificate was added to keystore seems to indicate a successful execution of keytoolkeytool error and a non-zero return-code, so no successWhat I've checked:
%JAVA_HOME seems to be available, as the error message displays the correct pathRUN command, then issue the exact same command inside the docker container, it works perfectly/bin/sh as the shell to make sure it's not the shell - workedNow I don't have any more ideas how to track this issue down.
Turned out that the problem was my fault™️
There were a few things that had confused me:
keytool displays Certificate was added to keystore even though that had actually failed – stupid$JAVA_PATH/lib/security/cacerts or it may be $JAVA_PATH/jre/lib/security/cacerts – obviously depending on whether a JRE or JDK is installedSo my solution was to write a bash script:
-cacerts option which will automatically take care of the keystore location$JAVA_HOME/jre directory exist? Then use -keystore $JAVA_PATH/jre/lib/security/cacerts-keystore $JAVA_PATH/lib/security/cacerts