ICIJ
Include self-signed certificates in Docker image
Hi, I am running DS 20.0.5 as Docker image on CoreOS with Podman. I'd like to connect it to Keycloak but my Keycloak instance uses self-signed certificates so DS refuses to connect. Is there any way apart from compiling my own Docker images that I can include self-signed certificates?
I've noticed there is a bash script that runs through a certificates directory but when I mount this directory with my self-signed certificate nothing happens, or at least the certificate does not appear in the keystore.
Thank you in advance!
Hi @fl02, we are going to have a look to see if we can troubleshoot this on the OAuth2 filter :)
Hi @pirhoo thanks for looking into it!
If it helps, the error message is:
[Worker: RequestDispatcher: Thread-15] ERROR Fluent - Unexpected error: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The file I mentioned above is called __cacert_entrypoint.sh and sits in /.
I am a little embarrassed that I only now think of that but the easiest way to solve this is to use your Docker image and add another layer with the custom CA, like so:
FROM icij/datashare:20.1.5
USER root
COPY mycustomca.crt /usr/local/share/ca-certificates/mycustomca.crt
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
& update-ca-certificates
&& keytool -importcert -noprompt -cacerts
-alias mycustomca
-file /usr/local/share/ca-certificates/mycustomca.crt
-storepass changeitUSER datashare
Problem solved. Only minor inconvenience is that I need to build a new image every time the source images changes.