Link Java trust store to the CA certificates provided by OS
wkruse opened this issue · 2 comments
Right now there are two trust stores in the Docker image:
/etc/pki/ca-trust/extracted/java/cacerts/usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
Amazon Corretto 8 is using the latter:
Inaccessible trust store: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/jssecacerts
trustStore is: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
But importing the for example the rds-combined-ca-bundle.pem with keytool to /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts doesn't work as only the first certificate in the bundle is imported. Possible solutions would be either to split rds-combined-ca-bundle.pem to separate certificates and import them one-by-one or to convert the bundle to PKCS#7...
https://docs.aws.amazon.com/documentdb/latest/developerguide/connect.html
It is a lot easier to import rds-combined-ca-bundle.pem to /etc/pki/ca-trust/extracted/java/cacerts:
QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system: add it as a new file to directory /etc/pki/ca-trust/source/anchors/ run update-ca-trust extract
https://www.systutorials.com/docs/linux/man/8-update-ca-trust/
ADD rds-combined-ca-bundle.pem /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem
RUN update-ca-trust extract \
&& ln -fs /etc/pki/ca-trust/extracted/java/cacerts ${JAVA_HOME}/jre/lib/security/cacertsIs there a good reason NOT to link ${JAVA_HOME}/jre/lib/security/cacerts to /etc/pki/ca-trust/extracted/java/cacerts per default in the Docker image?
Related to corretto/corretto-8#171.
It's by design, but we plan to change to native rpm in corretto-8-docker in the future.
That rpm will have dependency on system cacerts.
For you case, you can specify cacerts in your java options explicitly.
-Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts