Skip to content

Instantly share code, notes, and snippets.

@socheatsok78

socheatsok78/README.md

Last active February 12, 2025 15:10
Show Gist options
  • Save socheatsok78/2d895a17c04d568f6e207dd4d51b7faa to your computer and use it in GitHub Desktop.
Save socheatsok78/2d895a17c04d568f6e207dd4d51b7faa to your computer and use it in GitHub Desktop.
Download ZIP
A simple fix for using "ca-certificates" to update Java "cacerts" store for container.
Raw
README.md

About

A simple fix for using ca-certificates to update Java cacerts store for container.

Use with pre-built JDK/JRE container

Due to the update-ca-certificates will output the Java cacerts store to /etc/ssl/certs/java/cacerts which the pre-built image not aware of the changes. So by removing the ${JAVA_HOME}/lib/security/cacerts and create a symbolic link from /etc/ssl/certs/java/cacerts to ${JAVA_HOME}/lib/security/cacerts will resolve the issue.

Alpine

FROM eclipse-temurin:17-jre-alpine

RUN apk add -Uu --no-cache \
      ca-certificates \
      java-cacerts \
    ; rm ${JAVA_HOME}/lib/security/cacerts \
    ; ln -s /etc/ssl/certs/java/cacerts ${JAVA_HOME}/lib/security/cacerts \
    ; update-ca-certificates

Debian

FROM eclipse-temurin:17-jre-focal

RUN apt-get update \
    && apt install -y --no-install-recommends \
        ca-certificates \
        p11-kit \
    ; { \
        echo '#!/usr/bin/env bash'; \
        echo 'set -Eeuo pipefail'; \
        echo 'trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$JAVA_HOME/lib/security/cacerts"'; \
    } > /etc/ca-certificates/update.d/java-cacerts \
    ; chmod +x /etc/ca-certificates/update.d/java-cacerts \
    ; update-ca-certificates \
    && rm -rf /var/lib/apt/lists/*

Use with generic container

For using with generic container, you only need to install ca-certificates, java-cacerts (alpine) or ca-certificates-java (debian) and your jdk/jre of choice.

Alpine

FROM alpine:latest

RUN apk add -Uu --no-cache \
      ca-certificates \
      java-cacerts \
      openjdk11-jre-headless

Debian

FROM ubuntu:focal

RUN apt-get update \
    && apt install -y --no-install-recommends \
        ca-certificates \
        ca-certificates-java \
        openjdk-11-jre-headless \
  && rm -rf /var/lib/apt/lists/*
Raw
TOOLS.md

Tools

The famous SSLPoke from Atlassian : establish a TLS connection but support http proxy and updated to Java 11 https://gist.github.com/socheatsok78/878d9c48c9aa9d43579e1477adc9441c

Helper scripts

Note: The helper scripts is not a recommended way to fix the issue but may help to provide a starting point for you if the above methods do not work foryou.

fix-java-cacerts.sh

#!/bin/sh
if [ ! -d "${JAVA_HOME}" ]; then
    echo "The JAVA_HOME does not exists!"
    exit 1
fi
if [ ! -f "${JAVA_HOME}/lib/security/cacerts.bak"]; then
    cp ${JAVA_HOME}/lib/security/cacerts ${JAVA_HOME}/lib/security/cacerts.bak
    rm ${JAVA_HOME}/lib/security/cacerts
fi
if [ ! -h "${JAVA_HOME}/lib/security/cacerts" ]; then
    ln -s /etc/ssl/certs/java/cacerts ${JAVA_HOME}/lib/security/cacerts
fi

update-java-cacerts.sh

#!/bin/sh
JKS_STOREPASS="${JKS_STOREPASS:-changeit}"
cd /etc/ssl/certs
for cert in ca-*.pem; do
	ca_alias=${cert//ca-cert-}
	ca_alias=${ca_alias//.pem}
	echo "Importing certificate $ca_alias... "
	echo -n " => "
	keytool -cacerts -trustcacerts \
		-storepass ${JKS_STOREPASS} \
		-importcert \
		-alias "${ca_alias}" \
		-file /etc/ssl/certs/${cert} \
		-noprompt
done
@eddyscout
Copy link

Very helpful. Thanks for sharing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment