Importing self-signed cert into Docker's JRE cacert is not recognized by the service

问题

• A Java Service is running inside the Docker container, which access the external HTTPS url and its self-sign certificate is unavailable to the service/ JRE cacert keystore and therefore connection fails.
• Hence imported the self-signed certificate of HTTPS external URL into Docker container's JRE cacert keystore. (after checking the $JAVA_HOME env. variable)
• Restarted the Docker container (using docker restart command), hoping that the service is also get restarted and pick the changes from JRE cacert. But this didn't happen, the Java service still fails to access external HTTPS URL.

Any idea how a Java service running inside the Docker container pick the JRE cacert changes with new certificate import?

回答1:

Hence imported the self-signed certificate of HTTPS external URL into Docker container's JRE cacert keystore.

No: you need to import it into the Docker image from which you run your container.

Importing it into the container would only create a temporary writable data layer, which will be discarded when you restart your container.

Something like this answer:

USER root
COPY ldap.cer $JAVA_HOME/jre/lib/security
RUN \
    cd $JAVA_HOME/jre/lib/security \
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldap.cer

回答2:

For using already configured java based containers like jenkins, sonarqube or nexus (e. g. if you run your own build server) I find it more convenient to mount a suitable cacerts-file into these containers with a parameter for docker run .

I use the cacerts file from openjdk as base:

1. extracting cacerts from openjdk image using a temporary container:

docker pull openjdk:latest
docker run --rm --entrypoint cat openjdk:latest /etc/ssl/certs/java/cacerts > cacerts

2. adding certificate to the extracted cacerts using a temporary container started from the same folder which also contains ldap.cer:

docker run --rm -v `pwd`:/tmp/certs openjdk:latest bash -c 'cd /tmp/certs && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias buenting-root -file ldap.cer'

3. run your target docker container(s) mounting the extracted cacerts with a run-parameter, e. g. for sonarqube:

docker run ... -v /path/to/your/prepared/cacerts:/etc/ssl/certs/java/cacerts:ro ... sonarqube:lts

If there is a new version of openjdk you can update the cacerts-file on the host with commands from 1. and 2.

For updating the target image (e. g. sonarqube) you do not need to create your own image using Dockerfile and docker build.

来源：https://stackoverflow.com/questions/41497871/importing-self-signed-cert-into-dockers-jre-cacert-is-not-recognized-by-the-ser