Unable to connect due to an SSL error + Docker

Question

I have configured new relic in my spring boot app and trying to run it in docker. Upon starting up the container, I get Unable to connect to New Relic due to an SSL error.

New Relic suggests to add a DigiRootCert file to the truststore. I have added that in my local JDK. And now I could CURL the HTTPS URL https://one.newrelic.com from CMD but I could not do the same from the Docker container bash.

/app # curl https://one.newrelic.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

So, that tells me I should add the certificate to the container as well.

I tried adding the cert in the below format

COPY --from=mainapp /app/springbootapp/target/classes/root.crt 
/usr/local/share/ca-certificates/root.crt
RUN update-ca-certificates

Please share any reference I could use to get this done. Thanks

Below is the error thrown when I run docker compose up -

javax.net.ssl.SSLHandshakeException: 
 sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

---------- UPDATE 1 ------------

I did add the certificates to docker java trustore and exposed port 443

I was able to connect to new relic only 10% of my tries. Every other time, the container throws the below error.

com.newrelic.agent.rpm.RPMConnectionServiceImpl INFO: Failed to connect to collector.newrelic.com:443 
for springBootApp: javax.net.ssl.SSLHandshakeException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I've added the certificates for newrelic in the java truststore in the docker image:

*******************************************


Alias name: newrelic
Creation date: May 8, 2021
Entry type: trustedCertEntry

Owner: CN=*.newrelic.com, O="New Relic, Inc.", L=San Francisco, ST=California, C=US
Issuer: CN="Zscaler Intermediate Root CA (zscaler.net) (t) ", OU=Zscaler Inc., O=Zscaler Inc., ST=California, C=US
Serial number: 60902de1d57e749a4a212b1196c4eed6
Valid from: Sat May 01 04:14:01 GMT 2021 until: Sat May 15 04:14:01 GMT 2021
Certificate fingerprints:
     MD5:  2F:2F:5C:88:A2:45:41:6E:07:60:F9:73:77:51:40:5C
     SHA1: DA:29:79:16:7C:6F:75:69:2F:2B:16:38:B5:64:68:BB:59:29:D8:77
     SHA256: 0E:F9:93:F4:48:56:10:FF:BF:74:C7:AA:5D:B4:EC:1A:87:32:81:BE:79:03:D5:19:D4:AD:8E:4B:56:51:B7:20
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F3 00 F1 00 77 00   46 A5 55 EB 75 FA 91 20  ......w.F.U.u.. 
0010: 30 B5 A2 89 69 F4 F3 7D   11 2C 41 74 BE FD 49 B8  0...i....,At..I.
0020: 85 AB F2 FC 70 FE 6D 47   00 00 01 77 E0 00 D3 00  ....p.mG...w....
0030: 00 00 04 03 00 48 30 46   02 21 00 BA 96 AD E3 75  .....H0F.!.....u
0040: 10 74 05 89 7D A7 72 A0   E2 D1 A3 E0 39 95 40 48  .t....r.....9.@H
0050: 83 4A 6E 53 21 FC F9 5E   82 16 1C 02 21 00 B9 4F  .JnS!..^....!..O
0060: 25 50 DD 97 B3 09 A8 D1   DE F9 0D 20 5F E5 AE 5E  %P......... _..^
0070: 90 3F D1 0E 33 41 8E 8C   A3 01 A3 F9 11 1D 00 76  .?..3A.........v
0080: 00 22 45 45 07 59 55 24   56 96 3F A1 2F F1 F7 6D  ."EE.YU$V.?./..m
0090: 86 E0 23 26 63 AD C0 4B   7F 5D C6 83 5C 6E E2 0F  ..#&c..K.]..\n..
00A0: 02 00 00 01 77 E0 00 D2   DE 00 00 04 03 00 47 30  ....w.........G0
00B0: 45 02 21 00 86 07 E4 C6   05 55 4D 2C 47 7C 54 48  E.!......UM,G.TH
00C0: 20 04 45 58 CE 39 52 9F   06 01 E8 04 72 3D E8 97   .EX.9R.....r=..
00D0: C4 9E 72 84 02 20 19 3D   8E 3C 59 A1 F3 30 FC 1B  ..r.. .=.<Y..0..
00E0: F2 5C FF AF 46 B2 14 79   8E 77 22 65 EB F9 31 70  .\..F..y.w"e..1p
00F0: 1E 04 BC 86 B6 DB                                  ......


#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://gateway.zscaler.net/zscaler-zscrl--4.crl]
]]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.newrelic.com
  DNSName: newrelic.com
]



*******************************************

I am confused about the intermittent connection. Using the same image that once connected throws the same error which makes me think the issue is with the newrelic server. I'd appreciate your thoughts on this?

Reference this : https://stackoverflow.com/questions/42292444/how-do-i-add-a-ca-root-certificate-inside-a-docker-image , just `ADD` and `chmod 0644` and `update-ca-certificates` — Thanh Nguyen Van, May 06 '21 at 08:02

Unable to connect due to an SSL error + Docker

0 Answers0