We currently use the openJDK alpine image in our Docker builds for our Java Sprint Boot applications that run in a container in a Kubernetes cluster. During the docker build we add 2 trusted certs to the cacerts file, these certs effectively authorise traffic from the cluster to go through our internal proxy and out to an external URL.
As openJDK docker images are deprecated, we are trying to move to the eclipse-temurin equivalent of our current image which is eclipse-temurin:19-jdk-alpine
. However, when testing our application with this image, we are getting PKIX errors
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
.
I have tried both of the below methods to add our certs to the keystore (both methods worked with the openJDK image) but neither work with the eclipse-temurin image.
Method 1
COPY int-root.crt /usr/local/share/ca-certificates/
COPY eur-root.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
Method 2
### Make directory for certs and copy certs in
RUN mkdir -p /opt/certdir
COPY certs /opt/certdir/
### Import certs into java keystore
RUN keytool -noprompt -keystore -cacerts -storepass changeit -importcert -alias cardiff-root -file /opt/certdir/int-root.crt
RUN keytool -noprompt -keystore -cacerts -storepass changeit -importcert -alias swansea-root -file /opt/certdir/eur-root.crt
I have found this github issue https://github.com/adoptium/containers/issues/293 suggesting that eclipse-temurin doesn't handle certs in the same way openJDK did and doesn't automatically use the system cacerts file over the temurin cacerts file (I may be reading the detail wrong). Off the back of that ticket this change was merged in https://github.com/adoptium/containers/pull/392 which advises I just need to create the environment variable mentioned with any value and it will behave link openJDK did.
ENV USE_SYSTEM_CA_CERTS=true
However I'm still getting the same cert error. I have also attempted to use the eclipse-temurin:21-jdk-alpine
image in case jdk 19 wasn't backdated for the merged change linked above but this still didn't work. If it's a thing then I don't mind adding the certs to the temurin cacerts file but I'm struggling to find any help or documentation to guide me on how to do that.
At this point I am running our of ideas and hope someone can see some errors above or can help point me in the right direction.
(I'm not sure this is really programming or development, but)
keytool -importcert -keystore -cacerts
is wrong -- it creates a keystore file named -cacerts
in your working directory, which is wrong and useless.
For the 'pure Java' way either use -cacerts
alone (in java 9 up):
keytool -importcert -noprompt -cacerts -alias $a -file $f
or use the full filename (less convenient), in this case:
keytool -importcert -noprompt -keystore /opt/java/openjdk/lib/security/cacerts -alias $a -file $f
Alternatively I agree the USE_SYSTEM_CA_CERTS method should work, as long as you don't change the docker entrypoint. It certainly is present in the eclipse-temurin:21-jdk-alpine
I get as of now, in (virtual) /__cacert_entrypoint.sh