Docker OpenJDK 17 does not contain certificate

Question

I want to create a docker image with OpenJDK 17 but it will be modified by adding our company's certificates.

Dockerfile:

FROM openjdk:17 

COPY Certs /certs
RUN /certs/load_certs.sh \
    && rm -rf /certs

The directory "Certs" contains every certificate necessary. This works fine. I checked if the JDK 17 in the image contains the certificates and yes, they are there. Then I want to create an image with Gradle 7.3.3 which will use the mentioned OpenJDK 17 image with all of the certificates.

FROM centos:8

# some commands here

#jdk
COPY --from=nexus.ourcompany.com:4402/aliter/open-jdk17 /usr/java/openjdk-17 /etc/jdk17
ENV JAVA_HOME=/etc/jdk17
ENV PATH="${JAVA_HOME}/bin:${PATH}"

# some commands here

#gradle
RUN cd /tmp \
    && curl --insecure -O https://nexus.ourcompany.com/repository/ourcompany-maven-public/org/gradle/7.3.3/gradle-7.3.3-bin.zip \
    && cd ..
RUN unzip /tmp/gradle-7.3.3-bin.zip -d /etc \
    && rm -rf gradle-7.3.3-bin.zip
ENV PATH="/etc/gradle-7.3.3/bin:${PATH}"
RUN gradle -v

# some commands here

I created the image with Gradle and OpenJDK, but when I tried to build our project then it printed out

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I checked the OpenJDK inside of the Gradle image and it does not contain the certificates. I used the same approach with OpenJDK 11 and everything works fine.

Can anyone tell me what is wrong?

Answer 1

Solved this issue by doing the following:

Running apt-get udpate

If you are using ansible:

- name: Run the equivalent of "apt-get update"
  apt:
    update_cache: yes

and then apt-get install ca-certificates-java ca-certificates

If you are using ansible:

- name: Install ca-certificates-java and ca-certificates
  apt:
    pkg:
    - ca-certificates-java
    - ca-certificates