Docker-alpine: Alpine does not install ca-certificates-java as part of openjdk-1.8

Hmm, I found an issue upstream for this functionality. But I wonder if as a workaround you can import the certificates with something like:

keytool -importcert -file /etc/ssl/certs/ca-certificates.crt -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts -keypass changeit

not sure if this is OS dependent, but i had to add -storepass (changeit) as well as -noprompt, so it can be done during docker build. so:
keytool -importcert -keypass changeit -file /etc/ssl/certs/ca-certificates.crt -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts -noprompt -storepass changeit

checking now.

Yea, the keytool may be different from Oracle and OpenJDK. I was testing on Oracle Java. Looking at it again, it also looks like this may only do one CA key at a time, so it would probably have to loop on ca-* certs in /etc/ssl/certs. But it doesn't seem like something that should be terribly difficult. The store basically just needs the same CAs that are from ca-certificates.

so, it did not solve my problem.

i am creating an openjdk image to be used as bases for TypeSafe Activator. openjdk8 is used as a base image, and then i create an Activator image. but when i run it and it starts getting its stuff, i get errors of this kind and then it fails:
Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo.typesafe.com/typesafe/ivy-releases/com.typesafe/npm_2.10/1.1.0/ivys/ivy.xml

importing only ca-certificates.cert did not resolve it. running in a loop and importing all keys in /etc/ssl/certs hangs after a few...

/ # cd /etc/ssl/certs/
/etc/ssl/certs # for file in ls; do keytool -importcert -keypass changeit -file $file -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts -noprompt -storepass changeit -al
ias $file; done

both Dockerfiles are here:
https://github.com/ehudkaldor/dockerfiles

It is probably easiest to just take a working keystore from somewhere and distribute it with the Dockerfile and add to the image at build time. Then the default CMD or ENTRYPOINT would add something like -Djavax.net.ssl.trustStore=/tmp/workingcakeystore -Djavax.net.ssl.trustStorePassword=changeit. Is this feasible?

I am working on this and will probably have something working this week. The plan is to create a trigger that updates the java cacert store using p11-kit.

that would be great! thank you.

On Wed, Jan 13, 2016 at 1:45 PM ncopa [email protected] wrote:

I am working on this and will probably have something working this week.
The plan is to create a trigger that updates the java cacert store using
p11-kit.

—
Reply to this email directly or view it on GitHub
https://github.com/gliderlabs/docker-alpine/issues/128#issuecomment-171445734
.

this should now be fixed upstream in alpine 3.3.

it works! thank you.

Thanks @ncopa :beers: