search

corretto / corretto-8-docker

Dockerfiles for Amazon Corretto 8
MIT No Attribution
195 stars 40 forks source link

Link Java trust store to the CA certificates provided by OS #47

Closed wkruse closed 5 years ago

wkruse commented 5 years ago

Right now there are two trust stores in the Docker image:

Amazon Corretto 8 is using the latter:

Inaccessible trust store: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/jssecacerts
trustStore is: /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:

But importing the for example the rds-combined-ca-bundle.pem with keytool to /usr/lib/jvm/java-1.8.0-amazon-corretto/jre/lib/security/cacerts doesn't work as only the first certificate in the bundle is imported. Possible solutions would be either to split rds-combined-ca-bundle.pem to separate certificates and import them one-by-one or to convert the bundle to PKCS#7...

https://docs.aws.amazon.com/documentdb/latest/developerguide/connect.html

It is a lot easier to import rds-combined-ca-bundle.pem to /etc/pki/ca-trust/extracted/java/cacerts:

QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

  add it as a new file to directory /etc/pki/ca-trust/source/anchors/
  run update-ca-trust extract

https://www.systutorials.com/docs/linux/man/8-update-ca-trust/

ADD rds-combined-ca-bundle.pem /etc/pki/ca-trust/source/anchors/rds-combined-ca-bundle.pem
RUN update-ca-trust extract \
  && ln -fs /etc/pki/ca-trust/extracted/java/cacerts ${JAVA_HOME}/jre/lib/security/cacerts

Is there a good reason NOT to link ${JAVA_HOME}/jre/lib/security/cacerts to /etc/pki/ca-trust/extracted/java/cacerts per default in the Docker image?

Related to https://github.com/corretto/corretto-8/issues/171.

navyxliu commented 5 years ago

It's by design, but we plan to change to native rpm in corretto-8-docker in the future.
That rpm will have dependency on system cacerts.

For you case, you can specify cacerts in your java options explicitly. -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts

wkruse commented 5 years ago

@navyxliu Thanks for the info, we are linking ${JAVA_HOME}/jre/lib/security/cacerts to /etc/pki/ca-trust/extracted/java/cacerts for now. The Amazon Root CA certs are in both trust stores and adding custom CAs to the system trust store is a lot easier.