Quarks docker run unable to find valid certification path to requested target

Question

i tried to build a container that runs my Quarkus application in JVM mode, i was able to run

./mvnw package
docker build -f src/main/docker/Dockerfile.jvm -t quarkus/myapp-jvm .

but when I ran

docker run -i --rm -p 8080:8080 quarkus/myapp-jvm

it failed with error:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've already installed the certs

echo $GRAALVM_HOME
export JAVA_HOME=$GRAALVM_HOME
echo $JAVA_HOME
/Library/Java/JavaVirtualMachines/graalvm-ce-java17-22.0.0.2/Contents/Home
sudo keytool -importcert -file netskope-bundle.pem -alias netskope-bundle -keystore $JAVA_HOME/lib/security/cacerts

on my box i also have Java 13 installed and added the same certs there too /Library/Java/JavaVirtualMachines/zulu-13.jdk/Contents/Home

my setup:

java -version
openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment GraalVM CE 22.0.0.2 (build 17.0.2+8-jvmci-22.0-b05)
OpenJDK 64-Bit Server VM GraalVM CE 22.0.0.2 (build 17.0.2+8-jvmci-22.0-b05, mixed mode, sharing)

mvn -version
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /usr/local/Cellar/maven/3.8.4/libexec
Java version: 17.0.2, vendor: GraalVM Community, runtime: /Library/Java/JavaVirtualMachines/graalvm-ce-java17-22.0.0.2/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac"

why do i still get this error?

Answer 1

I believe you are receiving this error because the certificates aren't in the cacerts of the JVM running inside your container.

I guess you only imported the certificates to the host machine.

In this project I added to the Dockerfile one instruction to copy the cert file and then another to import it to the JVM cacerts:

COPY certificates /tmp/ssl
RUN keytool -importcert -noprompt -keystore /etc/alternatives/jre/lib/security/cacerts -storepass changeit -file /tmp/ssl/b3-api.crt -alias "b3-api-root"

Complete Dockerfile

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 

ARG JAVA_PACKAGE=java-11-openjdk-headless
ARG RUN_JAVA_VERSION=1.3.8
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
# Install java and the run-java script
# Also set up permissions for user `1001`
RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \
    && microdnf update \
    && microdnf clean all \
    && mkdir /deployments \
    && chown 1001 /deployments \
    && chmod "g+rwX" /deployments \
    && chown 1001:root /deployments \
    && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \
    && chown 1001 /deployments/run-java.sh \
    && chmod 540 /deployments/run-java.sh \
    && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security

# Configure the JAVA_OPTIONS, you can add -XshowSettings:vm to also display the heap size.
ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
# We make four distinct layers so if there are application changes the library layers can be re-used
COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/
COPY --chown=1001 target/quarkus-app/*.jar /deployments/
COPY --chown=1001 target/quarkus-app/app/ /deployments/app/
COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/

COPY certificates /tmp/ssl
RUN keytool -importcert -noprompt -keystore /etc/alternatives/jre/lib/security/cacerts -storepass changeit -file /tmp/ssl/b3-api.crt -alias "b3-api-root"

EXPOSE 8080
USER 1001

ENTRYPOINT [ "/deployments/run-java.sh" ]

Making sure the certificates are correct

If you imported the certificates correctly to the cacerts of the JVM of your host machine, running the application like this should work:

./mvnw quarkus:dev

Answer 2

Add this to your application.properties file:

quarkus.tls.trust-all=true