1

I'm trying to create my first "native java app" using spring-native. I modify my pom adding this

<dependency>
        <groupId>org.springframework.experimental</groupId>
        <artifactId>spring-native</artifactId>
        <version>0.10.5</version>
    </dependency>

and this ( in the plugin part )

       <plugin>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-maven-plugin</artifactId>
            <configuration>
                <image>
                    <builder>paketobuildpacks/builder:tiny</builder>
                    <env>
                        <BP_NATIVE_IMAGE>true</BP_NATIVE_IMAGE>
                    </env>
                </image>
            </configuration>
        </plugin>

If I run "mvn clean package" everythng works fine; but when I try "spring-boot:build-image" I get this error (the part of the picture that you can't see says "x509: certificate signed by unknown authority"): enter image description here

I already tried to add to intellij the certs (image below) of the site but I get the same error.

enter image description here

Any suggestion?

S-Wing
  • 485
  • 6
  • 25
  • If this is a certificate issue - the certificate must be added to the JDK which is specified in Settings (Preferences on macOS) | Build, Execution, Deployment | Build Tools | Maven | Runner | **JRE**. Also - have you tried executing this from the command line? – Andrey Nov 05 '21 at 13:27
  • Hi @Andrey, i add the certificates to the cacert keystore of the jdk used by intellij, but I'm getting the same error. What do you mean with "have you tried executing this from the command line?" Bevasuse I tried to paste the url in the browser, and from the browser the downalod of the tar.gz starts correctly. – S-Wing Nov 05 '21 at 14:09

1 Answers1

3

The attempt to download from https://github.com/graalvm/graalvm-ce-builds/releases is happening inside a Docker container that runs the Cloud Native Buildpacks builder and buildpacks. Certificate errors like this can happen when the Docker container is behind a corporate HTTP proxy that uses custom CA certificates. There is a Paketo buildpacks issue and a Spring Boot issue that cover similar errors.

Adding certificates to a JDK trust store will not fix the issue. Certificates must be provided to the builder container when it is launched. This is covered in the Paketo documentation and in the Spring Boot documentation, but it is a little difficult to understand exactly how to configure certificates.

As an example:

First create a bindings directory in the root of your project structure (at the same level as the project src directory) and copy the custom certificate to that directory (where my-custom-certificate.crt is a CA certificate in PEM format):

$ mkdir -p bindings/certificates
$ echo "ca-certificates" > bindings/certificates/type
$ cp /some/path/to/my-custom-certificate.crt bindings/certificates/my-custom-certificate.crt
$ tree bindings
bindings
├── certificates
│   ├── my-custom-certificate.crt
│   └── type

Then configure the Spring Boot Maven plugin to provide the binding to the Paketo CNB builder when the image is built:

  <plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
    <configuration>
      <image>
        <builder>paketobuildpacks/builder:tiny</builder>
        <env>
          <BP_NATIVE_IMAGE>true</BP_NATIVE_IMAGE>
        </env>
        <bindings>
          <binding>${basedir}/bindings/certificates:/platform/bindings/ca-certificates</binding>
        </bindings>
      </image>
    </configuration>
  </plugin>

Note that the bindings configuration of the Spring Boot Maven plugin requires Spring Boot version 2.5.0 or greater.

Scott Frederick
  • 4,184
  • 19
  • 22