GithubHelp home page GithubHelp logo

Comments (11)

nebhale avatar nebhale commented on June 26, 2024 1

Unfortunately, there is no good solution to this today, but we've been working on it for a couple of months and hope to have a generalized solution soon. In the mean time, your best bet is to modify the builder image that you're using to include the certificates you'd like to include. An example of this might look something like:

$ docker pull gcr.io/paketo-buildpacks/builder:base
$ docker build -t my-builder -f- . <<EOF

FROM gcr.io/paketo-buildpacks/builder:base

USER root

ADD server.crt /usr/local/share/ca-certificates/server.crt
RUN chmod 644 /usr/local/share/ca-certificates/server.crt \
 && update-ca-certificates

USER cnb

EOF
$ pack build my-image --builder my-builder --path my-application.jar

We're aware that constantly having to modified the official builder images isn't ideal and are working hard to design something better.

from bellsoft-liberica.

ezraroda avatar ezraroda commented on June 26, 2024

Any update on this issue ? I'm getting the following :
[INFO] [creator] Get "https://github.com/bell-sw/Liberica/releases/download/8u252+9/bellsoft-jre8u252+9-linux-amd64.tar.gz": x509: certificate signed by unknown authority

Using:

paketo-buildpacks/bellsoft-liberica 2.8.0

from bellsoft-liberica.

nebhale avatar nebhale commented on June 26, 2024

@ezraroda My guess is that you've got a proxy or other network interceptor causing you issues. I have no reason to believe that the GitHub certificate is signed by an unknown authority.

This is not to say that what you're experience isn't a valid use-case that we're still working on solving, just that the issue you're seeing isn't broadly a problem with the buildpack.

from bellsoft-liberica.

jensdt avatar jensdt commented on June 26, 2024

I have a question in the same line. We're also in a corporate environment with self-signed SSL certs (well, by our own authority).

I have modified the Stack to import our CA certificates and the built application can use them (as they are loaded into the keystore). This works for the built application, so at runtime. However, during build, Maven still complains about the certificate (the cert of our Maven repo mirror).

I looked at the code, but it's not immediately clear to me. Is this 'openssl-certificate-loader' also done for the JDK used during 'build' steps, or only available on the run image?

from bellsoft-liberica.

nebhale avatar nebhale commented on June 26, 2024

@jensdt We do load the CA certificates when a JDK is used to build an application. You'd expect to see a line mentioning that it happened

Paketo BellSoft Liberica Buildpack 2.12.0
  https://github.com/paketo-buildpacks/bellsoft-liberica
  Build Configuration:
    $BP_JVM_VERSION              11.*            the Java version
  Launch Configuration:
    $BPL_JVM_HEAD_ROOM           0               the headroom in memory calculation
    $BPL_JVM_LOADED_CLASS_COUNT  35% of classes  the number of loaded classes in memory calculation
    $BPL_JVM_THREAD_COUNT        250             the number of threads in memory calculation
  BellSoft Liberica JDK 11.0.8: Contributing to layer
    Reusing cached download from buildpack
    Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jdk
    Adding 127 container CA certificates to JVM truststore
    Writing env.build/JAVA_HOME.override
    Writing env.build/JDK_HOME.override
...

Note that at this time Adding 127 container CA certificates to JVM truststore indicates the number of certificates we consider "normal". You may want to double check that you've got a number that matches what you'd expect with your additions.

from bellsoft-liberica.

jensdt avatar jensdt commented on June 26, 2024

@nebhale Hm, I'm not seeing that line appear during building. Not for the JDK, nor for the JRE.

===> BUILDING
 
Paketo BellSoft Liberica Buildpack 2.12.0
  https://github.com/paketo-buildpacks/bellsoft-liberica
  Build Configuration:
    $BP_JVM_VERSION              11.*            the Java version
  Launch Configuration:
    $BPL_JVM_HEAD_ROOM           0               the headroom in memory calculation
    $BPL_JVM_LOADED_CLASS_COUNT  35% of classes  the number of loaded classes in memory calculation
    $BPL_JVM_THREAD_COUNT        250             the number of threads in memory calculation
  BellSoft Liberica JDK 11.0.8: Contributing to layer
    Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.8+10/bellsoft-jdk11.0.8+10-linux-amd64.tar.gz
    Verifying checksum
    Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jdk
    Writing env.build/JAVA_HOME.override
    Writing env.build/JDK_HOME.override
  BellSoft Liberica JRE 11.0.8: Contributing to layer
    Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.8+10/bellsoft-jre11.0.8+10-linux-amd64.tar.gz
    Verifying checksum
    Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jre
    Writing env.launch/JAVA_HOME.override
    Writing env.launch/MALLOC_ARENA_MAX.override
    Writing profile.d/active-processor-count.sh
  Memory Calculator 4.1.0: Contributing to layer
    Downloading from https://github.com/cloudfoundry/java-buildpack-memory-calculator/releases/download/v4.1.0/memory-calculator-4.1.0.tgz
    Verifying checksum
    Expanding to /layers/paketo-buildpacks_bellsoft-liberica/memory-calculator
    Writing profile.d/memory-calculator.sh
  Class Counter: Contributing to layer
    Copying to /layers/paketo-buildpacks_bellsoft-liberica/class-counter
  JVMKill Agent 1.16.0: Contributing to layer
    Downloading from https://github.com/cloudfoundry/jvmkill/releases/download/v1.16.0.RELEASE/jvmkill-1.16.0-RELEASE.so
    Verifying checksum
    Copying to /layers/paketo-buildpacks_bellsoft-liberica/jvmkill
    Writing env.launch/JAVA_OPTS.append
  Link-Local DNS: Contributing to layer
    Copying to /layers/paketo-buildpacks_bellsoft-liberica/link-local-dns
    Writing profile.d/link-local-dns.sh
  Java Security Properties: Contributing to layer
    Writing env.launch/JAVA_OPTS.append
    Writing env.launch/JAVA_SECURITY_PROPERTIES.override
  Security Providers Configurer: Contributing to layer
    Copying to /layers/paketo-buildpacks_bellsoft-liberica/security-providers-configurer
    Writing profile.d/security-providers-classpath.sh
    Writing profile.d/security-providers-configurer.sh
  OpenSSL Certificate Loader: Contributing to layer
    Copying to /layers/paketo-buildpacks_bellsoft-liberica/openssl-security-provider
    Writing profile.d/openssl-certificate-loader.sh

The only time I see "Adding 127 container CA certificates to JVM truststore" (but indeed with a different count) is during the running of my built image. I am using a custom stack, but the same one for the build image as for the run image.

from bellsoft-liberica.

nebhale avatar nebhale commented on June 26, 2024

My current working theory is that for some reason, the certificate loader doesn't think that you've got any certificates in the file we expect to examine. We should add some additional debugging around this, but in the meantime until that gets added, any chance you can publish your builder image to a location I can examine it from?

from bellsoft-liberica.

jensdt avatar jensdt commented on June 26, 2024

@nebhale I figured it out - stupid issue on my part.

Indeed I'm using a base image that has the certificates in different path, so I copy them to the path you expect. This was already working for the run image so I assumed all was well. Turned out my builder wasn't re-built after I updated our base image.

So entirely my fault. But some debug logging would be nice to have perhaps.

from bellsoft-liberica.

nebhale avatar nebhale commented on June 26, 2024

Understood. We'll add that in.

from bellsoft-liberica.

dmikusa avatar dmikusa commented on June 26, 2024

@emrekaratas06 Please open a new issue, this is not related. Thanks

from bellsoft-liberica.

emrekaratas06 avatar emrekaratas06 commented on June 26, 2024

@emrekaratas06 Please open a new issue, this is not related. Thanks

ok -. thanks. Can you hepl me please?
#353

from bellsoft-liberica.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.