update-ca-certificates doesn't update the java keystore

[sixcorners]

OpenJDK packaged with Ubuntu and Alpine do this thing where $JAVA_HOME/jre/lib/security/cacerts is symlinked to /etc/ssl/certs/java/cacerts and the update-ca-certificates command runs a script in /etc/ca-certificates/update.d/ that updates the keystore to match the certificates files installed on the system. It makes it so that adding certs can be as easy as adding .crt files to /usr/local/share/ca-certificates/ and running update-ca-certificates.

Is this something that can or should be supported in this image?

[sixcorners]

To support this I think you would just install the java-cacertspackage and do a ln -sf /etc/ssl/certs/java/cacerts $JAVA_HOME/jre/lib/security/cacerts. This results in different certs in the keystore though by default.

[praseodym]

I just use keytool to add a certificate to the JVM keystore: https://github.com/WISVCH/docker-alpine-java/blob/4ee8ddb2eadf8e3b5983a807000c74b52a1b970d/8_server-jre_unlimited/Dockerfile#L7

[sixcorners]

Isn't it easier to do this

RUN cd /usr/local/share/ca-certificates \
 && curl -so rds-ca-2015-root.crt https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem \
 && update-ca-certificates \
 && ln -sf /etc/ssl/certs/java/cacerts $JAVA_HOME/jre/lib/security/cacerts

If the image worked like the other images you wouldn't need the last line. This way the cert ends up in the OS cert directory /etc/ssl/certs/ca-cert-rds-ca-2015-root.pem, I don't have to remember how to invoke keytool, and scripts that invoke update-ca-certificates still work.

[anapsix]

any reason not to do what you've suggested @sixcorners, when there is a need

RUN apk add -U java-cacerts && ln -sf /etc/ssl/certs/java/cacerts $JAVA_HOME/jre/lib/security/cacerts

Since, that overwrites the CA Certs that come with Java package, perhaps, it should be an explicit step..