Comments (11)
Unfortunately, there is no good solution to this today, but we've been working on it for a couple of months and hope to have a generalized solution soon. In the mean time, your best bet is to modify the builder image that you're using to include the certificates you'd like to include. An example of this might look something like:
$ docker pull gcr.io/paketo-buildpacks/builder:base
$ docker build -t my-builder -f- . <<EOF
FROM gcr.io/paketo-buildpacks/builder:base
USER root
ADD server.crt /usr/local/share/ca-certificates/server.crt
RUN chmod 644 /usr/local/share/ca-certificates/server.crt \
&& update-ca-certificates
USER cnb
EOF
$ pack build my-image --builder my-builder --path my-application.jar
We're aware that constantly having to modified the official builder images isn't ideal and are working hard to design something better.
from bellsoft-liberica.
Any update on this issue ? I'm getting the following :
[INFO] [creator] Get "https://github.com/bell-sw/Liberica/releases/download/8u252+9/bellsoft-jre8u252+9-linux-amd64.tar.gz": x509: certificate signed by unknown authority
Using:
paketo-buildpacks/bellsoft-liberica 2.8.0
from bellsoft-liberica.
@ezraroda My guess is that you've got a proxy or other network interceptor causing you issues. I have no reason to believe that the GitHub certificate is signed by an unknown authority.
This is not to say that what you're experience isn't a valid use-case that we're still working on solving, just that the issue you're seeing isn't broadly a problem with the buildpack.
from bellsoft-liberica.
I have a question in the same line. We're also in a corporate environment with self-signed SSL certs (well, by our own authority).
I have modified the Stack to import our CA certificates and the built application can use them (as they are loaded into the keystore). This works for the built application, so at runtime. However, during build, Maven still complains about the certificate (the cert of our Maven repo mirror).
I looked at the code, but it's not immediately clear to me. Is this 'openssl-certificate-loader' also done for the JDK used during 'build' steps, or only available on the run image?
from bellsoft-liberica.
@jensdt We do load the CA certificates when a JDK is used to build an application. You'd expect to see a line mentioning that it happened
Paketo BellSoft Liberica Buildpack 2.12.0
https://github.com/paketo-buildpacks/bellsoft-liberica
Build Configuration:
$BP_JVM_VERSION 11.* the Java version
Launch Configuration:
$BPL_JVM_HEAD_ROOM 0 the headroom in memory calculation
$BPL_JVM_LOADED_CLASS_COUNT 35% of classes the number of loaded classes in memory calculation
$BPL_JVM_THREAD_COUNT 250 the number of threads in memory calculation
BellSoft Liberica JDK 11.0.8: Contributing to layer
Reusing cached download from buildpack
Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jdk
Adding 127 container CA certificates to JVM truststore
Writing env.build/JAVA_HOME.override
Writing env.build/JDK_HOME.override
...
Note that at this time Adding 127 container CA certificates to JVM truststore
indicates the number of certificates we consider "normal". You may want to double check that you've got a number that matches what you'd expect with your additions.
from bellsoft-liberica.
@nebhale Hm, I'm not seeing that line appear during building. Not for the JDK, nor for the JRE.
===> BUILDING
Paketo BellSoft Liberica Buildpack 2.12.0
https://github.com/paketo-buildpacks/bellsoft-liberica
Build Configuration:
$BP_JVM_VERSION 11.* the Java version
Launch Configuration:
$BPL_JVM_HEAD_ROOM 0 the headroom in memory calculation
$BPL_JVM_LOADED_CLASS_COUNT 35% of classes the number of loaded classes in memory calculation
$BPL_JVM_THREAD_COUNT 250 the number of threads in memory calculation
BellSoft Liberica JDK 11.0.8: Contributing to layer
Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.8+10/bellsoft-jdk11.0.8+10-linux-amd64.tar.gz
Verifying checksum
Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jdk
Writing env.build/JAVA_HOME.override
Writing env.build/JDK_HOME.override
BellSoft Liberica JRE 11.0.8: Contributing to layer
Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.8+10/bellsoft-jre11.0.8+10-linux-amd64.tar.gz
Verifying checksum
Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jre
Writing env.launch/JAVA_HOME.override
Writing env.launch/MALLOC_ARENA_MAX.override
Writing profile.d/active-processor-count.sh
Memory Calculator 4.1.0: Contributing to layer
Downloading from https://github.com/cloudfoundry/java-buildpack-memory-calculator/releases/download/v4.1.0/memory-calculator-4.1.0.tgz
Verifying checksum
Expanding to /layers/paketo-buildpacks_bellsoft-liberica/memory-calculator
Writing profile.d/memory-calculator.sh
Class Counter: Contributing to layer
Copying to /layers/paketo-buildpacks_bellsoft-liberica/class-counter
JVMKill Agent 1.16.0: Contributing to layer
Downloading from https://github.com/cloudfoundry/jvmkill/releases/download/v1.16.0.RELEASE/jvmkill-1.16.0-RELEASE.so
Verifying checksum
Copying to /layers/paketo-buildpacks_bellsoft-liberica/jvmkill
Writing env.launch/JAVA_OPTS.append
Link-Local DNS: Contributing to layer
Copying to /layers/paketo-buildpacks_bellsoft-liberica/link-local-dns
Writing profile.d/link-local-dns.sh
Java Security Properties: Contributing to layer
Writing env.launch/JAVA_OPTS.append
Writing env.launch/JAVA_SECURITY_PROPERTIES.override
Security Providers Configurer: Contributing to layer
Copying to /layers/paketo-buildpacks_bellsoft-liberica/security-providers-configurer
Writing profile.d/security-providers-classpath.sh
Writing profile.d/security-providers-configurer.sh
OpenSSL Certificate Loader: Contributing to layer
Copying to /layers/paketo-buildpacks_bellsoft-liberica/openssl-security-provider
Writing profile.d/openssl-certificate-loader.sh
The only time I see "Adding 127 container CA certificates to JVM truststore" (but indeed with a different count) is during the running of my built image. I am using a custom stack, but the same one for the build image as for the run image.
from bellsoft-liberica.
My current working theory is that for some reason, the certificate loader doesn't think that you've got any certificates in the file we expect to examine. We should add some additional debugging around this, but in the meantime until that gets added, any chance you can publish your builder image to a location I can examine it from?
from bellsoft-liberica.
@nebhale I figured it out - stupid issue on my part.
Indeed I'm using a base image that has the certificates in different path, so I copy them to the path you expect. This was already working for the run image so I assumed all was well. Turned out my builder wasn't re-built after I updated our base image.
So entirely my fault. But some debug logging would be nice to have perhaps.
from bellsoft-liberica.
Understood. We'll add that in.
from bellsoft-liberica.
@emrekaratas06 Please open a new issue, this is not related. Thanks
from bellsoft-liberica.
@emrekaratas06 Please open a new issue, this is not related. Thanks
ok -. thanks. Can you hepl me please?
#353
from bellsoft-liberica.
Related Issues (20)
- GraalVM 22.3.0 with Java 19 HOT 6
- Mismatch between JRE/JDK version and cpes+version under metadata.dependencies in v9.8.0 HOT 6
- When using jlink, we can't use --add-modules ALL-MODULE-PATH HOT 1
- github bellsoft-jre17.0.5+8-linux-amd64.tar.gz x509: certificate signed by unknown authority HOT 4
- Support JDK 20 HOT 1
- I'm waiting patiently for BP_JVM_VERSION of 20 :-) HOT 4
- gradle `bootBuildImage` fails due to paketo-buildpacks/bellsoft-liberica HOT 3
- No valid JRE available HOT 2
- Does remote debug support for bellsoft NIK? HOT 1
- Native memory tracking can't be disabled HOT 2
- The CI updater for Java 11 NIK is failing HOT 1
- Add support for `JDK_JAVA_OPTIONS` HOT 1
- Support for JVM-based apps using musl based JVM & the static stack HOT 5
- Get Error when trying to build an image from spring-boot's maven plugin in a java 21 project HOT 2
- can't download form download.bell-sw.com HOT 8
- Add Support for CRaC enabled JDK Distributions HOT 9
- Automatic Thread Count
- No builldpack.toml found in bellsoft-liberica 10.5.2 HOT 2
- Get Error when trying to build an image from a plain maven Java 21 project HOT 3
- Support JDK 22 HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bellsoft-liberica.