A simple fix for using "ca-certificates" to update Java "cacerts" store for container.

About

A simple fix for using ca-certificates to update Java cacerts store for container.

Use with pre-built JDK/JRE container

Due to the update-ca-certificates will output the Java cacerts store to /etc/ssl/certs/java/cacerts which the pre-built image not aware of the changes. So by removing the ${JAVA_HOME}/lib/security/cacerts and create a symbolic link from /etc/ssl/certs/java/cacerts to ${JAVA_HOME}/lib/security/cacerts will resolve the issue.

Alpine

FROM eclipse-temurin:17-jre-alpine

RUN apk add -Uu --no-cache \
      ca-certificates \
      java-cacerts \
    ; rm ${JAVA_HOME}/lib/security/cacerts \
    ; ln -s /etc/ssl/certs/java/cacerts ${JAVA_HOME}/lib/security/cacerts \
    ; update-ca-certificates

Debian

FROM eclipse-temurin:17-jre-focal

RUN apt-get update \
    && apt install -y --no-install-recommends \
        ca-certificates \
        p11-kit \
    ; { \
        echo '#!/usr/bin/env bash'; \
        echo 'set -Eeuo pipefail'; \
        echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \
    } > /etc/ca-certificates/update.d/java-cacerts \
    ; chmod +x /etc/ca-certificates/update.d/java-cacerts \
    ; update-ca-certificates \
    && rm -rf /var/lib/apt/lists/*

Use with generic container

For using with generic container, you only need to install ca-certificates, java-cacerts (alpine) or ca-certificates-java (debian) and your jdk/jre of choice.

Alpine

FROM alpine:latest

RUN apk add -Uu --no-cache \
      ca-certificates \
      java-cacerts \
      openjdk11-jre-headless

Debian

FROM ubuntu:focal

RUN apt-get update \
    && apt install -y --no-install-recommends \
        ca-certificates \
        ca-certificates-java \
        openjdk-11-jre-headless \
  && rm -rf /var/lib/apt/lists/*

#!/bin/sh if [ ! -d "${JAVA_HOME}" ]; then echo "The JAVA_HOME does not exists!" exit 1 fi if [ ! -f "${JAVA_HOME}/lib/security/cacerts.bak"]; then cp ${JAVA_HOME}/lib/security/cacerts ${JAVA_HOME}/lib/security/cacerts.bak rm ${JAVA_HOME}/lib/security/cacerts fi if [ ! -h "${JAVA_HOME}/lib/security/cacerts" ]; then ln -s /etc/ssl/certs/java/cacerts ${JAVA_HOME}/lib/security/cacerts fi

#!/bin/sh JKS_STOREPASS="${JKS_STOREPASS:-changeit}" cd /etc/ssl/certs for cert in ca-*.pem; do ca_alias=${cert//ca-cert-} ca_alias=${ca_alias//.pem} echo "Importing certificate $ca_alias... " echo -n " => " keytool -cacerts -trustcacerts \ -storepass ${JKS_STOREPASS} \ -importcert \ -alias "${ca_alias}" \ -file /etc/ssl/certs/${cert} \ -noprompt done

socheatsok78/README.md

Select an option

No results found

Select an option

No results found

About

Use with pre-built JDK/JRE container

Alpine

Debian

Use with generic container

Alpine

Debian

Tools

Helper scripts

`fix-java-cacerts.sh`

`update-java-cacerts.sh`

ghost commented Aug 28, 2024

Uh oh!