Custom SSL Root CA Certificates overrule certificates from default cacerts when running in native mode #29146
Labels
area/container-image
area/native-image
env/windows
Impacts Windows machines
kind/bug
Something isn't working
Milestone
Describe the bug
According to this guide it should be possible to add a custom Root CA certificate to a Quarkus native application. Furthermore its also mentioned when passing the certificates via the following system properties to the underlying GraalVM:
quarkus.native.additional-build-args=-J-Djavax.net.ssl.trustStore=/tmp/mycerts,-J-Djavax.net.ssl.trustStorePassword=changeit
the certificates of
/tmp/mycerts
are baked into the native binary and used in addition to the defaultcacerts
.However, that's not what I've observed. When passing a custom trust-store to the native build only those certificates which are part of the custom trust-store are present at runtime. All other trusted
ca-certs
, which are available during the build (e.g. provided by GrallVM) are gone, or at least not accessible by the resulting native app.Expected behavior
According to the documentation my expectation would be that certificates from a custom trust-store are being used in addition to any other trusted
ca-certficate
, that has been provided by the defaultcacerts
during thenative image
build.For example: Let's imagine that the
GraalVM
ships with a trust-store which contains 129 Root CA certificates. Since I pass a custom trust-store with a single certificate my expectation would be that all those 130 Root CA certificates are baked in the native binary.Actual behavior
The certificates of a custom trust-store overrule
cacerts
present in the GraalVM. The ca-certificates aren't baked into the native binary (or at least they aren't recognized at runtime) as they should according to the documentation. Just the custom certificates are present..How to Reproduce?
jib
to create the image, maybe that's of relevance)I had no better idea to extract the certificates from the native binary. From my understanding they are
baked
into the binary and not being loaded from the underlying OS default trust-store.Trigger a native build. I'm using the container approach since I haven't installed GraalVM locally:
mvn package -Pnative -Dquarkus.native.container-build=true
The defined observer shall be trigger at build and runtime. During the
native image
build check the sys out log and verify that the expectedca-certs
are present. Once the binary has been crafted start the image and check the output. In that case only the certs from the custom trust-store should be present.Output of
uname -a
orver
No response
Output of
java -version
17.0.5+8-jvmci-22.3-b08
GraalVM version (if different from Java)
GraalVM 22.3.0 Java 17 CE
Quarkus version or git rev
2.13.3.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0)
Additional information
Docker Desktop on Windows 10:
Server Version: 20.10.20
API Version: 1.41
Operating System: Docker Desktop
The text was updated successfully, but these errors were encountered: