Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Custom CA certificate breaks on second container restart #734

Open
AlexanderLieret opened this issue Feb 10, 2025 · 4 comments
Open

[Bug]: Custom CA certificate breaks on second container restart #734

AlexanderLieret opened this issue Feb 10, 2025 · 4 comments
Labels
bug Something isn't working

Comments

@AlexanderLieret
Copy link

Please add the exact image (with tag) that you are using

eclipse-temurin:17.0.14_7-jre

Please add the version of Docker you are running

Docker version 27.4.0, build bde2b89

What happened?

When adding a custom CA certificate to the truststore, the container does not start after the second restart anymore.
This requires the re-creation of the container, e.g., docker compose down && docker compose up -d.

This can be reproduced with a certificate in the directory trusted-certs and the following Docker compose file:

services:
  bug:
    image: eclipse-temurin:17.0.14_7-jre
    command: echo Hello World
    environment:
      USE_SYSTEM_CA_CERTS: 1
    volumes:
      - ./trusted-certs:/certificates/

This used to work with older images, e.g., eclipse-temurin:17.0.11_9-jre.

Relevant log output

Attaching to bug-1
bug-1  | Importing keystore /tmp/tmp.kwGTbmj7At to /opt/java/openjdk/lib/security/cacerts...
bug-1  | Warning: Overwriting existing alias naverglobalrootcertificationauthority in destination keystore
bug-1  | Entry for alias naverglobalrootcertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias teliasonerarootcav1 in destination keystore
bug-1  | Entry for alias teliasonerarootcav1 successfully imported.
bug-1  | Warning: Overwriting existing alias vtruseccrootca in destination keystore
bug-1  | Entry for alias vtruseccrootca successfully imported.
bug-1  | Warning: Overwriting existing alias emsignrootca-g1 in destination keystore
bug-1  | Entry for alias emsignrootca-g1 successfully imported.
bug-1  | Warning: Overwriting existing alias quovadisrootca3g3 in destination keystore
bug-1  | Entry for alias quovadisrootca3g3 successfully imported.
bug-1  | Warning: Overwriting existing alias secureglobalca in destination keystore
bug-1  | Entry for alias secureglobalca successfully imported.
bug-1  | Warning: Overwriting existing alias microsoftrsarootcertificateauthority2017 in destination keystore
bug-1  | Entry for alias microsoftrsarootcertificateauthority2017 successfully imported.
bug-1  | Warning: Overwriting existing alias ssl.comevrootcertificationauthorityecc in destination keystore
bug-1  | Entry for alias ssl.comevrootcertificationauthorityecc successfully imported.
bug-1  | Warning: Overwriting existing alias szafirrootca2 in destination keystore
bug-1  | Entry for alias szafirrootca2 successfully imported.
bug-1  | Warning: Overwriting existing alias ssl.comtlsrsarootca2022 in destination keystore
bug-1  | Entry for alias ssl.comtlsrsarootca2022 successfully imported.
bug-1  | Warning: Overwriting existing alias quovadisrootca1g3 in destination keystore
bug-1  | Entry for alias quovadisrootca1g3 successfully imported.
bug-1  | Warning: Overwriting existing alias atostrustedrootrootcarsatls2021 in destination keystore
bug-1  | Entry for alias atostrustedrootrootcarsatls2021 successfully imported.
bug-1  | Warning: Overwriting existing alias autoridaddecertificacionfirmaprofesionalcifa62634068 in destination keystore
bug-1  | Entry for alias autoridaddecertificacionfirmaprofesionalcifa62634068 successfully imported.
bug-1  | Warning: Overwriting existing alias securesignrootca11 in destination keystore
bug-1  | Entry for alias securesignrootca11 successfully imported.
bug-1  | Warning: Overwriting existing alias isrgrootx2 in destination keystore
bug-1  | Entry for alias isrgrootx2 successfully imported.
bug-1  | Warning: Overwriting existing alias isrgrootx1 in destination keystore
bug-1  | Entry for alias isrgrootx1 successfully imported.
bug-1  | Warning: Overwriting existing alias digicertglobalrootca in destination keystore
bug-1  | Entry for alias digicertglobalrootca successfully imported.
bug-1  | Warning: Overwriting existing alias sectigopublicserverauthenticationrootr46 in destination keystore
bug-1  | Entry for alias sectigopublicserverauthenticationrootr46 successfully imported.
bug-1  | Warning: Overwriting existing alias bjcaglobalrootca2 in destination keystore
bug-1  | Entry for alias bjcaglobalrootca2 successfully imported.
bug-1  | Warning: Overwriting existing alias globalsignroote46 in destination keystore
bug-1  | Entry for alias globalsignroote46 successfully imported.
bug-1  | Warning: Overwriting existing alias bjcaglobalrootca1 in destination keystore
bug-1  | Entry for alias bjcaglobalrootca1 successfully imported.
bug-1  | Warning: Overwriting existing alias starfieldservicesrootcertificateauthority-g2 in destination keystore
bug-1  | Entry for alias starfieldservicesrootcertificateauthority-g2 successfully imported.
bug-1  | Warning: Overwriting existing alias actalisauthenticationrootca in destination keystore
bug-1  | Entry for alias actalisauthenticationrootca successfully imported.
bug-1  | Warning: Overwriting existing alias tubitakkamusmsslkoksertifikasi-surum1 in destination keystore
bug-1  | Entry for alias tubitakkamusmsslkoksertifikasi-surum1 successfully imported.
bug-1  | Warning: Overwriting existing alias amazonrootca4 in destination keystore
bug-1  | Entry for alias amazonrootca4 successfully imported.
bug-1  | Warning: Overwriting existing alias amazonrootca3 in destination keystore
bug-1  | Entry for alias amazonrootca3 successfully imported.
bug-1  | Warning: Overwriting existing alias amazonrootca2 in destination keystore
bug-1  | Entry for alias amazonrootca2 successfully imported.
bug-1  | Warning: Overwriting existing alias amazonrootca1 in destination keystore
bug-1  | Entry for alias amazonrootca1 successfully imported.
bug-1  | Warning: Overwriting existing alias affirmtrustpremium in destination keystore
bug-1  | Entry for alias affirmtrustpremium successfully imported.
bug-1  | Warning: Overwriting existing alias haricatlsrsarootca2021 in destination keystore
bug-1  | Entry for alias haricatlsrsarootca2021 successfully imported.
bug-1  | Warning: Overwriting existing alias entrustrootcertificationauthority-g4 in destination keystore
bug-1  | Entry for alias entrustrootcertificationauthority-g4 successfully imported.
bug-1  | Warning: Overwriting existing alias entrustrootcertificationauthority-g2 in destination keystore
bug-1  | Entry for alias entrustrootcertificationauthority-g2 successfully imported.
bug-1  | Warning: Overwriting existing alias gdcatrustauthr5root in destination keystore
bug-1  | Entry for alias gdcatrustauthr5root successfully imported.
bug-1  | Warning: Overwriting existing alias atostrustedrootrootcaecctls2021 in destination keystore
bug-1  | Entry for alias atostrustedrootrootcaecctls2021 successfully imported.
bug-1  | Warning: Overwriting existing alias emsigneccrootca-g3 in destination keystore
bug-1  | Entry for alias emsigneccrootca-g3 successfully imported.
bug-1  | Warning: Overwriting existing alias atostrustedroot2011 in destination keystore
bug-1  | Entry for alias atostrustedroot2011 successfully imported.
bug-1  | Warning: Overwriting existing alias d-trustevrootca12020 in destination keystore
bug-1  | Entry for alias d-trustevrootca12020 successfully imported.
bug-1  | Warning: Overwriting existing alias anfsecureserverrootca in destination keystore
bug-1  | Entry for alias anfsecureserverrootca successfully imported.
bug-1  | Warning: Overwriting existing alias certignarootca in destination keystore
bug-1  | Entry for alias certignarootca successfully imported.
bug-1  | Warning: Overwriting existing alias swisssignsilverca-g2 in destination keystore
bug-1  | Entry for alias swisssignsilverca-g2 successfully imported.
bug-1  | Warning: Overwriting existing alias vtrusrootca in destination keystore
bug-1  | Entry for alias vtrusrootca successfully imported.
bug-1  | Warning: Overwriting existing alias digicerttlsrsa4096rootg5 in destination keystore
bug-1  | Entry for alias digicerttlsrsa4096rootg5 successfully imported.
bug-1  | Warning: Overwriting existing alias comodoecccertificationauthority in destination keystore
bug-1  | Entry for alias comodoecccertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias securetrustca in destination keystore
bug-1  | Entry for alias securetrustca successfully imported.
bug-1  | Warning: Overwriting existing alias cadisigrootr2 in destination keystore
bug-1  | Entry for alias cadisigrootr2 successfully imported.
bug-1  | Warning: Overwriting existing alias aaacertificateservices in destination keystore
bug-1  | Entry for alias aaacertificateservices successfully imported.
bug-1  | Warning: Overwriting existing alias starfieldrootcertificateauthority-g2 in destination keystore
bug-1  | Entry for alias starfieldrootcertificateauthority-g2 successfully imported.
bug-1  | Warning: Overwriting existing alias buypassclass2rootca in destination keystore
bug-1  | Entry for alias buypassclass2rootca successfully imported.
bug-1  | Warning: Overwriting existing alias tuntrustrootca in destination keystore
bug-1  | Entry for alias tuntrustrootca successfully imported.
bug-1  | Warning: Overwriting existing alias buypassclass3rootca in destination keystore
bug-1  | Entry for alias buypassclass3rootca successfully imported.
bug-1  | Warning: Overwriting existing alias test.local in destination keystore
bug-1  | Entry for alias test.local successfully imported.
bug-1  | Warning: Overwriting existing alias epkirootcertificationauthority in destination keystore
bug-1  | Entry for alias epkirootcertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias entrust.netcertificationauthority(2048) in destination keystore
bug-1  | Entry for alias entrust.netcertificationauthority(2048) successfully imported.
bug-1  | Warning: Overwriting existing alias certigna in destination keystore
bug-1  | Entry for alias certigna successfully imported.
bug-1  | Warning: Overwriting existing alias cfcaevroot in destination keystore
bug-1  | Entry for alias cfcaevroot successfully imported.
bug-1  | Warning: Overwriting existing alias emsignrootca-c1 in destination keystore
bug-1  | Entry for alias emsignrootca-c1 successfully imported.
bug-1  | Warning: Overwriting existing alias certumtrustednetworkca in destination keystore
bug-1  | Entry for alias certumtrustednetworkca successfully imported.
bug-1  | Warning: Overwriting existing alias securitycommunicationrootca3 in destination keystore
bug-1  | Entry for alias securitycommunicationrootca3 successfully imported.
bug-1  | Warning: Overwriting existing alias securitycommunicationrootca2 in destination keystore
bug-1  | Entry for alias securitycommunicationrootca2 successfully imported.
bug-1  | Warning: Overwriting existing alias securitycommunicationrootca1 in destination keystore
bug-1  | Entry for alias securitycommunicationrootca1 successfully imported.
bug-1  | Warning: Overwriting existing alias oistewisekeyglobalrootgcca in destination keystore
bug-1  | Entry for alias oistewisekeyglobalrootgcca successfully imported.
bug-1  | Warning: Overwriting existing alias usertrustrsacertificationauthority in destination keystore
bug-1  | Entry for alias usertrustrsacertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias trustwaveglobaleccp384certificationauthority in destination keystore
bug-1  | Entry for alias trustwaveglobaleccp384certificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias swisssigngoldca-g2 in destination keystore
bug-1  | Entry for alias swisssigngoldca-g2 successfully imported.
bug-1  | Warning: Overwriting existing alias globalsign-3 in destination keystore
bug-1  | Entry for alias globalsign-3 successfully imported.
bug-1  | Warning: Overwriting existing alias certsignrootca in destination keystore
bug-1  | Entry for alias certsignrootca successfully imported.
bug-1  | Warning: Overwriting existing alias globalsign-2 in destination keystore
bug-1  | Entry for alias globalsign-2 successfully imported.
bug-1  | Warning: Overwriting existing alias globalsign-1 in destination keystore
bug-1  | Entry for alias globalsign-1 successfully imported.
bug-1  | Warning: Overwriting existing alias certumec-384ca in destination keystore
bug-1  | Entry for alias certumec-384ca successfully imported.
bug-1  | Warning: Overwriting existing alias hipkirootca-g1 in destination keystore
bug-1  | Entry for alias hipkirootca-g1 successfully imported.
bug-1  | Warning: Overwriting existing alias twcaglobalrootca in destination keystore
bug-1  | Entry for alias twcaglobalrootca successfully imported.
bug-1  | Warning: Overwriting existing alias trustwaveglobaleccp256certificationauthority in destination keystore
bug-1  | Entry for alias trustwaveglobaleccp256certificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias globalsignrootr46 in destination keystore
bug-1  | Entry for alias globalsignrootr46 successfully imported.
bug-1  | Warning: Overwriting existing alias entrustrootcertificationauthority-ec1 in destination keystore
bug-1  | Entry for alias entrustrootcertificationauthority-ec1 successfully imported.
bug-1  | Warning: Overwriting existing alias emsigneccrootca-c3 in destination keystore
bug-1  | Entry for alias emsigneccrootca-c3 successfully imported.
bug-1  | Warning: Overwriting existing alias digicerttrustedrootg4 in destination keystore
bug-1  | Entry for alias digicerttrustedrootg4 successfully imported.
bug-1  | Warning: Overwriting existing alias quovadisrootca2g3 in destination keystore
bug-1  | Entry for alias quovadisrootca2g3 successfully imported.
bug-1  | Warning: Overwriting existing alias trustwaveglobalcertificationauthority in destination keystore
bug-1  | Entry for alias trustwaveglobalcertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias gtsrootr4 in destination keystore
bug-1  | Entry for alias gtsrootr4 successfully imported.
bug-1  | Warning: Overwriting existing alias gtsrootr3 in destination keystore
bug-1  | Entry for alias gtsrootr3 successfully imported.
bug-1  | Warning: Overwriting existing alias gtsrootr2 in destination keystore
bug-1  | Entry for alias gtsrootr2 successfully imported.
bug-1  | Warning: Overwriting existing alias globaltrust2020 in destination keystore
bug-1  | Entry for alias globaltrust2020 successfully imported.
bug-1  | Warning: Overwriting existing alias gtsrootr1 in destination keystore
bug-1  | Entry for alias gtsrootr1 successfully imported.
bug-1  | Warning: Overwriting existing alias hellenicacademicandresearchinstitutionseccrootca2015 in destination keystore
bug-1  | Entry for alias hellenicacademicandresearchinstitutionseccrootca2015 successfully imported.
bug-1  | Warning: Overwriting existing alias d-trustrootclass3ca22009 in destination keystore
bug-1  | Entry for alias d-trustrootclass3ca22009 successfully imported.
bug-1  | Warning: Overwriting existing alias commscopepublictrustrsaroot-02 in destination keystore
bug-1  | Entry for alias commscopepublictrustrsaroot-02 successfully imported.
bug-1  | Warning: Overwriting existing alias e-szignorootca2017 in destination keystore
bug-1  | Entry for alias e-szignorootca2017 successfully imported.
bug-1  | Warning: Overwriting existing alias commscopepublictrustrsaroot-01 in destination keystore
bug-1  | Entry for alias commscopepublictrustrsaroot-01 successfully imported.
bug-1  | Warning: Overwriting existing alias affirmtrustcommercial in destination keystore
bug-1  | Entry for alias affirmtrustcommercial successfully imported.
bug-1  | Warning: Overwriting existing alias godaddyclass2certificationauthority in destination keystore
bug-1  | Entry for alias godaddyclass2certificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias digicertassuredidrootg3 in destination keystore
bug-1  | Entry for alias digicertassuredidrootg3 successfully imported.
bug-1  | Warning: Overwriting existing alias affirmtrustnetworking in destination keystore
bug-1  | Entry for alias affirmtrustnetworking successfully imported.
bug-1  | Warning: Overwriting existing alias digicertassuredidrootg2 in destination keystore
bug-1  | Entry for alias digicertassuredidrootg2 successfully imported.
bug-1  | Warning: Overwriting existing alias d-trustrootclass3ca2ev2009 in destination keystore
bug-1  | Entry for alias d-trustrootclass3ca2ev2009 successfully imported.
bug-1  | Warning: Overwriting existing alias baltimorecybertrustroot in destination keystore
bug-1  | Entry for alias baltimorecybertrustroot successfully imported.
bug-1  | Warning: Overwriting existing alias comodocertificationauthority in destination keystore
bug-1  | Entry for alias comodocertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias starfieldclass2certificationauthority in destination keystore
bug-1  | Entry for alias starfieldclass2certificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias usertrustecccertificationauthority in destination keystore
bug-1  | Entry for alias usertrustecccertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias quovadisrootca3 in destination keystore
bug-1  | Entry for alias quovadisrootca3 successfully imported.
bug-1  | Warning: Overwriting existing alias sectigopublicserverauthenticationroote46 in destination keystore
bug-1  | Entry for alias sectigopublicserverauthenticationroote46 successfully imported.
bug-1  | Warning: Overwriting existing alias quovadisrootca2 in destination keystore
bug-1  | Entry for alias quovadisrootca2 successfully imported.
bug-1  | Warning: Overwriting existing alias trustasiaglobalrootcag4 in destination keystore
bug-1  | Entry for alias trustasiaglobalrootcag4 successfully imported.
bug-1  | Warning: Overwriting existing alias trustasiaglobalrootcag3 in destination keystore
bug-1  | Entry for alias trustasiaglobalrootcag3 successfully imported.
bug-1  | Warning: Overwriting existing alias twcarootcertificationauthority in destination keystore
bug-1  | Entry for alias twcarootcertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias d-trustbrrootca12020 in destination keystore
bug-1  | Entry for alias d-trustbrrootca12020 successfully imported.
bug-1  | Warning: Overwriting existing alias commscopepublictrusteccroot-02 in destination keystore
bug-1  | Entry for alias commscopepublictrusteccroot-02 successfully imported.
bug-1  | Warning: Overwriting existing alias commscopepublictrusteccroot-01 in destination keystore
bug-1  | Entry for alias commscopepublictrusteccroot-01 successfully imported.
bug-1  | Warning: Overwriting existing alias certumtrustedrootca in destination keystore
bug-1  | Entry for alias certumtrustedrootca successfully imported.
bug-1  | Warning: Overwriting existing alias ucaglobalg2root in destination keystore
bug-1  | Entry for alias ucaglobalg2root successfully imported.
bug-1  | Warning: Overwriting existing alias ssl.comrootcertificationauthorityecc in destination keystore
bug-1  | Entry for alias ssl.comrootcertificationauthorityecc successfully imported.
bug-1  | Warning: Overwriting existing alias certainlyrootr1 in destination keystore
bug-1  | Entry for alias certainlyrootr1 successfully imported.
bug-1  | Warning: Overwriting existing alias identrustcommercialrootca1 in destination keystore
bug-1  | Entry for alias identrustcommercialrootca1 successfully imported.
bug-1  | Warning: Overwriting existing alias izenpe.com in destination keystore
bug-1  | Entry for alias izenpe.com successfully imported.
bug-1  | Warning: Overwriting existing alias ucaextendedvalidationroot in destination keystore
bug-1  | Entry for alias ucaextendedvalidationroot successfully imported.
bug-1  | Warning: Overwriting existing alias microsece-szignorootca2009 in destination keystore
bug-1  | Entry for alias microsece-szignorootca2009 successfully imported.
bug-1  | Warning: Overwriting existing alias acraizfnmt-rcmservidoresseguros in destination keystore
bug-1  | Entry for alias acraizfnmt-rcmservidoresseguros successfully imported.
bug-1  | Warning: Overwriting existing alias digicerttlseccp384rootg5 in destination keystore
bug-1  | Entry for alias digicerttlseccp384rootg5 successfully imported.
bug-1  | Warning: Overwriting existing alias certsignrootcag2 in destination keystore
bug-1  | Entry for alias certsignrootcag2 successfully imported.
bug-1  | Warning: Overwriting existing alias globalsignrootca in destination keystore
bug-1  | Entry for alias globalsignrootca successfully imported.
bug-1  | Warning: Overwriting existing alias acraizfnmt-rcm in destination keystore
bug-1  | Entry for alias acraizfnmt-rcm successfully imported.
bug-1  | Warning: Overwriting existing alias certainlyroote1 in destination keystore
bug-1  | Entry for alias certainlyroote1 successfully imported.
bug-1  | Warning: Overwriting existing alias affirmtrustpremiumecc in destination keystore
bug-1  | Entry for alias affirmtrustpremiumecc successfully imported.
bug-1  | Warning: Overwriting existing alias xrampglobalcertificationauthority in destination keystore
bug-1  | Entry for alias xrampglobalcertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias teliarootcav2 in destination keystore
bug-1  | Entry for alias teliarootcav2 successfully imported.
bug-1  | Warning: Overwriting existing alias netlockarany(classgold)ftanstvny in destination keystore
bug-1  | Entry for alias netlockarany(classgold)ftanstvny successfully imported.
bug-1  | Warning: Overwriting existing alias ssl.comrootcertificationauthorityrsa in destination keystore
bug-1  | Entry for alias ssl.comrootcertificationauthorityrsa successfully imported.
bug-1  | Warning: Overwriting existing alias entrustrootcertificationauthority in destination keystore
bug-1  | Entry for alias entrustrootcertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias digicertassuredidrootca in destination keystore
bug-1  | Entry for alias digicertassuredidrootca successfully imported.
bug-1  | Warning: Overwriting existing alias digicertglobalrootg3 in destination keystore
bug-1  | Entry for alias digicertglobalrootg3 successfully imported.
bug-1  | Warning: Overwriting existing alias digicertglobalrootg2 in destination keystore
bug-1  | Entry for alias digicertglobalrootg2 successfully imported.
bug-1  | Warning: Overwriting existing alias certumtrustednetworkca2 in destination keystore
bug-1  | Entry for alias certumtrustednetworkca2 successfully imported.
bug-1  | Warning: Overwriting existing alias oistewisekeyglobalrootgbca in destination keystore
bug-1  | Entry for alias oistewisekeyglobalrootgbca successfully imported.
bug-1  | Warning: Overwriting existing alias comodorsacertificationauthority in destination keystore
bug-1  | Entry for alias comodorsacertificationauthority successfully imported.
bug-1  | Warning: Overwriting existing alias haricatlseccrootca2021 in destination keystore
bug-1  | Entry for alias haricatlseccrootca2021 successfully imported.
bug-1  | Warning: Overwriting existing alias ssl.comtlseccrootca2022 in destination keystore
bug-1  | Entry for alias ssl.comtlseccrootca2022 successfully imported.
bug-1  | Warning: Overwriting existing alias securitycommunicationeccrootca1 in destination keystore
bug-1  | Entry for alias securitycommunicationeccrootca1 successfully imported.
bug-1  | Warning: Overwriting existing alias identrustpublicsectorrootca1 in destination keystore
bug-1  | Entry for alias identrustpublicsectorrootca1 successfully imported.
bug-1  | Warning: Overwriting existing alias digicerthighassuranceevrootca in destination keystore
bug-1  | Entry for alias digicerthighassuranceevrootca successfully imported.
bug-1  | Warning: Overwriting existing alias accvraiz1 in destination keystore
bug-1  | Entry for alias accvraiz1 successfully imported.
bug-1  | Warning: Overwriting existing alias godaddyrootcertificateauthority-g2 in destination keystore
bug-1  | Entry for alias godaddyrootcertificateauthority-g2 successfully imported.
bug-1  | Warning: Overwriting existing alias microsofteccrootcertificateauthority2017 in destination keystore
bug-1  | Entry for alias microsofteccrootcertificateauthority2017 successfully imported.
bug-1  | Warning: Overwriting existing alias t-telesecglobalrootclass3 in destination keystore
bug-1  | Entry for alias t-telesecglobalrootclass3 successfully imported.
bug-1  | Warning: Overwriting existing alias t-telesecglobalrootclass2 in destination keystore
bug-1  | Entry for alias t-telesecglobalrootclass2 successfully imported.
bug-1  | Warning: Overwriting existing alias globalsign in destination keystore
bug-1  | Entry for alias globalsign successfully imported.
bug-1  | Warning: Overwriting existing alias hongkongpostrootca3 in destination keystore
bug-1  | Entry for alias hongkongpostrootca3 successfully imported.
bug-1  | Warning: Overwriting existing alias ssl.comevrootcertificationauthorityrsar2 in destination keystore
bug-1  | Entry for alias ssl.comevrootcertificationauthorityrsar2 successfully imported.
bug-1  | Warning: Overwriting existing alias hellenicacademicandresearchinstitutionsrootca2015 in destination keystore
bug-1  | Entry for alias hellenicacademicandresearchinstitutionsrootca2015 successfully imported.
bug-1  | Import command completed:  147 entries successfully imported, 0 entries failed or cancelled
bug-1  | Adding certificate with alias test.local_0EF1E93EF772D45CDFA862F3C962A3C13AFF0C49 to the JVM truststore
bug-1  | Warning: use -cacerts option to access cacerts keystore
bug-1 exited with code 1
@AlexanderLieret AlexanderLieret added the bug Something isn't working label Feb 10, 2025
@karianna
Copy link
Contributor

Did your version of Docker change or were any other changes made when you upgraded the base image to 17.0.14?

@AlexanderLieret
Copy link
Author

My wording was bad. It does still work if I use the old tag 17.0.11_9-jre.
It breaks as soon as I change to a current tag. No other changes were made in between.

@karianna
Copy link
Contributor

karianna commented Feb 10, 2025
edited
Loading

Hmm, this will be hard to track down. There have been changes since 17.0.11 that impact the truststore. In the mean time some suggested investigations / workarounds (inspired from GPT4o):

Possible Causes & Fixes

  1. JVM Truststore Locking or Corruption
  • If the truststore is being modified while the JVM is running, it might be getting corrupted.
  • Try setting the environment variable USE_SYSTEM_CA_CERTS=0 to disable automatic certificate import and manually import only necessary certificates.
  1. Check if the Truststore Already Contains the Certificate
  • Instead of blindly re-importing all certificates, check whether the truststore already contains them before adding them.
  • You can verify the certificates with:

keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

  1. Manually Import Certificates Once
  • If you only need to add a few certificates, copy the truststore, modify it externally, and mount it into the container to prevent modification on each restart:
volumes:
  - ./my-cacerts:/opt/java/openjdk/lib/security/cacerts
  1. Try Using an Older Image (17.0.12 / 17.0.13)
    • You mentioned that this used to work with eclipse-temurin:17.0.11_9-jre. Can you try 17.0.12 or 17.0.13 image and see where the bug was introduced?

@AlexanderLieret
Copy link
Author

I might have tracked down the problem. The problem is that the user provided certificates are always imported into the truststore.
There is a primitive collision prevention (append serial number to the common name) but this only works on the first container restart.
On the second restart, the collision throws the error because the same alias is reused.

I found these possible solutions to the problem:

  1. Overwrite the truststore (old behaviour)
  2. Don't add the certificate on the second collision
  3. Use the fingerprint instead of the serial number for collision prevention

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karianna @AlexanderLieret