1

I have a Spring Boot Java app and I use Google Jib to create a docker image (I deploy the image locally for now) based on gcr.io/distroless/java:11.

My Java app needs to access a HTTPS resource that has a self-signed certificate. Locally (without docker) I added the certificate to the Java certificates with the following command in order to develop and debug my spring boot app.

"C:\Program Files\Java\jdk-11\bin\keytool" -importcert -file C:\Users\FooBar\Downloads\mycert.pem -alias foobar -keystore "C:\Program Files\Java\jdk-11\lib\security\cacerts" -storepass changeit

I need to somehow add this certificate to the image I create with Jib. However, all the posts online give a solution that either involves a Docker File (I do not have one) or Kubernetes and other cloud technologies I do not use (for instance Docker Swarm).

Can someone please give me some help or provide a solution involving Jib that lets me add this certificate to the certificates of the JVM that run inside the container?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
XII
  • 420
  • 4
  • 16
  • The question sounds like a duplicate of [Adding SSL certificate when using Google Jib and Kubernetes](https://stackoverflow.com/questions/62991314/adding-ssl-certificate-when-using-google-jib-and-kubernetes)? – Chanseok Oh Apr 26 '21 at 14:16
  • @ChanseokOh code change is not a desired solution (for now) so Method 1 is not applicable. Method 2 is also not applicable as I do not have a Docker File and I am also using a distroless java 11 as base to create my image (no access in terminal to execute any commands to cp the .pem file). For Method 3 I do not use Kubernetes so it is also out of the picture (from what I can tell Method 3 is applicable in cloud solution not to my scenario). – XII Apr 26 '21 at 14:25
  • I'm not taking about the three methods in the article. See the answer in the linked question, where it explains how you can put a cert file into an image built by Jib. I've updated my answer to be clearer on that. – Chanseok Oh Apr 26 '21 at 14:53
  • I read the linked question and I cannot tell if you mean Embedding cacerts at build time or Supplying cacerts at runtime ? If you mean the first one can you give an example ? My dev machine is a windows and the docker image is based on grc java 11 distroless (*nix image). Can I put the Windows java cacerts file in a *nix image ? They seem kinda different (they even have different names , in the image it is called ca-certificates.crt) – XII Apr 27 '21 at 06:01
  • It's your choice whether you want to embed it at build time or supply it at runtime. There are pros and cons, and it depends on your workflow. I can't say one is better than the other. But sounds like you want to embed it into a built image, so maybe go for it. – Chanseok Oh Apr 27 '21 at 16:15
  • It's really simple: just put the right `cacerts` file you prepared (i.e., that is, the one that includes your self-signed certificate) into the right place in the image. I see you already prepared the file using the keytool, located at `C:\Program Files\Java\jdk-11\lib\security\cacerts`. Grab that file, and put it into the right place in the image using ``. The correct location depends on the location of the JRE in the base image. In the distroless case, `/etc/ssl/certs/java/cacerts` will work as explained in the linked SO answer. – Chanseok Oh Apr 27 '21 at 16:17
  • Just in case, if you still don't get the picture, check out these too: https://github.com/GoogleContainerTools/jib/blob/master/docs/self_sign_cert.md and https://github.com/GoogleContainerTools/jib/issues/2240#issuecomment-576930662 – Chanseok Oh Apr 27 '21 at 16:18
  • (Just in case again, the "Accessing a private docker registry with self-signed certificate" doc in the comment above is to enable Jib to access a private registry with a self-signed certificate, not for your app containerized by Jib. It's just to give you a basic and general understanding of how Java loads server certificates to verify servers. This principle applies to any Java app running on a JVM, whether it's Jib or your app.) – Chanseok Oh Apr 27 '21 at 16:28
  • Another "just in case": I believe by now you will get it, but most likely you were talking about `/etc/ssl/certs/ca-certificates.crt`. It's `/etc/ssl/certs/java/cacerts`. – Chanseok Oh Apr 27 '21 at 16:34
  • 4
    Does this answer your question? [Adding SSL certificate when using Google Jib and Kubernetes](https://stackoverflow.com/questions/62991314/adding-ssl-certificate-when-using-google-jib-and-kubernetes) – Chanseok Oh Apr 27 '21 at 18:01
  • I eployed a different tactic (mounting the certificate in openshift volume). In the end I did not need to do it in a traditional docker but in openshift. – XII May 06 '21 at 10:13
  • Yeah, as I answered in [Adding SSL certificate when using Google Jib and Kubernetes](https://stackoverflow.com/questions/62991314/adding-ssl-certificate-when-using-google-jib-and-kubernetes), supplying a cert at runtime by mounting a volume in a cluster openshift rather than at build-time is the other sound strategy. The choice depends on your workflow and requirements, as I said. – Chanseok Oh May 06 '21 at 15:50

0 Answers0