java icon indicating copy to clipboard operation
java copied to clipboard
verified publisher icon sous-chefs

Adoptium Temurin JDK 11 is breaking certificate install

Open joaoafonso11 opened this issue 2 years ago • 1 comments

:speaking_head: Foreword

Installing Adoptium Temurin JDK 11 is breaking the certificate install when using the java_certificate resource.

:ghost: Brief Description

When using Adoptium Temurin JDK 11 the java_certificate resource is trying to use an incorrect path to locate the keystore: It should be $JAVA_HOME/lib/security/cacerts, instead it's using $JAVA_HOME/jre/lib/security/cacerts

It appears there is no jre folder for this Java distribution/version.

:pancakes: Cookbook version

11.1.1

:woman_cook: Chef-Infra Version

16.1.16

:tophat: Platform details

Test Kitchen version 3.5.0 Vagrant 2.3.4 CentOS Linux release 7.5.1804 (Core)

Steps To Reproduce

Steps to reproduce the behavior:

  1. Install Adoptium Temurin JDK 11:
adoptopenjdk_install '11' do
  variant 'hotspot'
  url 'https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.17%2B8/OpenJDK11U-jdk_x64_linux_hotspot_11.0.17_8.tar.gz'
  checksum 'b8d46ed08ef4859476fe6421a7690d899ed83dce63f13fd894f994043177ef3c'
  java_home node['java']['java_home']
  default true
end
  1. Install a certificate using java_certificate:
  java_certificate 'Install Crowd certificate' do
    cert_alias 'crowd'
    ssl_endpoint "crowd.example.com:443"
    action :install
  end
  1. The error will show up:
 STDOUT: keytool error: java.lang.Exception: Keystore file does not exist: /usr/lib/jvm/java-11-adoptopenjdk-hotspot/jdk-11.0.17+8/jre/lib/security/cacerts
       java.lang.Exception: Keystore file does not exist: /usr/lib/jvm/java-11-adoptopenjdk-hotspot/jdk-11.0.17+8/jre/lib/security/cacerts
       	at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:902)
       	at java.base/sun.security.tools.keytool.Main.run(Main.java:412)
       	at java.base/sun.security.tools.keytool.Main.main(Main.java:405)
       STDERR:
       ---- End output of /usr/lib/jvm/java-11-adoptopenjdk-hotspot/jdk-11.0.17+8/bin/keytool -list -keystore /usr/lib/jvm/java-11-adoptopenjdk-hotspot/jdk-11.0.17+8/jre/lib/security/cacerts -storepass changeit -v ----
       Ran /usr/lib/jvm/java-11-adoptopenjdk-hotspot/jdk-11.0.17+8/bin/keytool -list -keystore /usr/lib/jvm/java-11-adoptopenjdk-hotspot/jdk-11.0.17+8/jre/lib/security/cacerts -storepass changeit -v returned 1
       [2023-01-16T05:50:59+00:00] FATAL: Error querying keystore for existing certificate: 1
  1. As a workaround the keystore_path can be defined like so:
keystore_path "#{node['java']['java_home']}/lib/security/cacerts"

:police_car: Expected behavior

A certificate should be installed using the correct path to the keystore.

joaoafonso11 avatar Jan 16 '23 05:01 joaoafonso11

Thanks for raising the issue, and you might have guessed. This cookbook doesn't support the newer variants, yet.

I'm going to reignite my PR this week and see if I can't get through the back log of java releases

damacus avatar May 09 '23 05:05 damacus