docker
docker copied to clipboard
jenkinsci
Provide a convenient way of adding a custom root certificate authority cert
What feature do you want to see added?
I would like to be able to e.g. volume map my root CA cert into a location in the Jenkins container and have the image import that/those cert(s) into the keystore being used by Jenkins at startup.
Upstream changes
No response
Hi @Rolf-MP , you should be able to do so by mounting the certificate in the container, or by building your custom image instead: is there anything blocking you in this area?
Hello Damien - thanks for your reply!
I do not have the steps handy but do remember that the ca-cert needs to be available for Tomcat/Jetty somehow if we want Jenkins to trust certificates issued by our company certificate authority. Java/Jenkins - at least back when we originally put Jenkins in place did not use the system cacerts. I ran into a similar issue when migrating from VM to docker-image Jenkins deployment.
The title therefore says "convenient". If - for the docker image - there would be a documented/env-var-settable location to mount the cacert to such that it would be automatically picked up for use by Jenkins at start of the container that would be convenient.
Maybe I overlooked something - very well possible ..
Might be possible by changing our entrypoint to call this: https://github.com/adoptium/containers/blob/898a806f10921208544fea3f5fa0dcef261c4f53/21/jdk/alpine/entrypoint.sh#L25
Unfortunatley the example does not appear to work.
In my personal instance I've tried using update-ca-certificates and doing keystore things. My understanding is that since Jenkins is a Java program I need to make Java recognize my certificate, not Ubuntu (which is why update-ca-certificates fails).
However, most examples (importing ca root cert to jvm, guide on java keytool) I've seen online discuss adding the certificate to a location which doesn't appear to exist in the container, the jre security cacerts directory.
FROM jenkins/jenkins
USER root
RUN apt-get update && apt-get install -y \
lsb-release \
ca-certificates \
curl
RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \
https://download.docker.com/linux/debian/gpg
RUN echo "deb [arch=$(dpkg --print-architecture) \
signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \
https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
RUN apt-get update && apt-get install -y docker-ce-cli
# TRY TO ADD CA.CRT
COPY ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
keytool -import -trustcacerts -file /usr/local/share/ca-certificates/ca.crt -alias MY_CA -keystore $JAVA_HOME/jre/lib/security/cacerts
# WON'T WORK: /opt/java/openjdk/jre/lib/security/cacerts (No such file or directory)
# Switch back to the Jenkins user
USER jenkins
# Install Jenkins plugins
RUN jenkins-plugin-cli --plugins "blueocean docker-workflow"
you don't need to pass -keystore $JAVA_HOME/jre/lib/security/cacerts, add -cacerts instead which will lookup the correct truststore location automatically
Thanks for the help!
I was able to also find the actual certs at /opt/java/openjdk/lib/security/cacerts as well (and of course it happens right after I comment). But it turns out my self-signed cert issue was not with Jenkins but with the Jenkins/git plugin..
edit: spoke too soon
edit2: issue was my agents did not have the ca crts installed. Jenkins works fine