Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Forcing Jib to use Mac OS X Keychain Store with self-signed certificate imported
See original GitHub issueEnvironment:
- Jib version: 2.2.0
- Build tool:
mvn --version
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /usr/local/Cellar/maven/3.6.3_1/libexec
Java version: 11.0.7, vendor: AdoptOpenJDK, runtime: /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home
Default locale: en_CH, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.1", arch: "x86_64", family: "mac"
- OS: Mac OS X Catalina (10.15.1)
Description of the issue:
I’m trying to build an image (based on gcr.io/distroless/java:11-debug) and push it to my company’s private registry.
It works if I ignore TLS:
mvn -B compile com.google.cloud.tools:jib-maven-plugin:build -Djib.allowInsecureRegistries=true -DsendCredentialsOverHttp=true
It works over https if I build and push identical image with a Dockerfile.
But when I try to force the maven/jib to pick up the certificates from the Keychain (using -Djavax.net.ssl.trustStoreType=KeychainStore), then it fails, complaining that it can’t get the certificate for gcr.io. I don’t use any proxy, so I don’t understand why it doesn’t work - just like with Dockerfile.
Expected behavior: Maven/Jib should pick up the certificate and the image should be pushed to the registry over https.
Steps to reproduce:
- Get a private docker registry with a self-signed certificate for https
- Try to push to it an image using Mac OS X’s KeychainStore certificates
- Fail
jib-maven-plugin Configuration:
<build>
<plugins>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>${jib.maven-plugin-version}</version>
<configuration>
<from>
<image>gcr.io/distroless/java:11-debug</image>
</from>
<to>
<image>docker-repo.bananas.xyz/sysadmin/skaffold-java-example</image>
</to>
</configuration>
</plugin>
</plugins>
</build>
Log output:
$ mvn -B compile com.google.cloud.tools:jib-maven-plugin:build -Djavax.net.ssl.trustStoreType=KeychainStore
[INFO] Scanning for projects...
[INFO]
[INFO] ----------------------< com.example:spring-boot >-----------------------
[INFO] Building spring-boot 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:3.1.0:resources (default-resources) @ spring-boot ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/tomasz/Development/skaffold-java-example/src/main/resources
[INFO] skip non existing resourceDirectory /Users/tomasz/Development/skaffold-java-example/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ spring-boot ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- jib-maven-plugin:2.2.0:build (default-cli) @ spring-boot ---
[INFO]
[INFO] Containerizing application to docker-repo.bananas.xyzsysadmin/skaffold-java-example...
[WARNING] Base image 'gcr.io/distroless/java:11-debug' does not use a specific image digest - build may not be reproducible
[INFO] Getting manifest for base image gcr.io/distroless/java:11-debug...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Using credentials from Docker config (/Users/tomasz/.docker/config.json) for docker-repo.bananas.xyz/sysadmin/skaffold-java-example
[ERROR] I/O error for image [gcr.io/distroless/java]:
[ERROR] javax.net.ssl.SSLHandshakeException
[ERROR] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.119 s
[INFO] Finished at: 2020-05-20T23:13:42+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.2.0:build (default-cli) on project spring-boot: Build image failed: Failed to authenticate with registry docker-repo.bananas.xyz/sysadmin/skaffold-java-example because: insecure HTTP connection not allowed: http://docker-repo.bananas.xyz/v2/token?service=http://docker-repo.bananas.xyz/v2/token&scope=repository:sysadmin/skaffold-java-example:pull,push -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Additional information Dockerfile that works fine:
FROM openjdk:11-jdk AS builder
WORKDIR target/dependency
ARG APPJAR=target/*.jar
COPY ${APPJAR} app.jar
RUN jar -xf ./app.jar
FROM gcr.io/distroless/java:11-debug
VOLUME /tmp
ARG DEPENDENCY=target/dependency
COPY --from=builder ${DEPENDENCY}/BOOT-INF/lib /app/lib
COPY --from=builder ${DEPENDENCY}/META-INF /app/META-INF
COPY --from=builder ${DEPENDENCY}/BOOT-INF/classes /app
ENTRYPOINT ["java","-cp","app:app/lib/*","com.example.springboot.Application"]
Thanks in advance for help.
Issue Analytics
- State:
- Created 3 years ago
- Comments:14 (6 by maintainers)
Top Results From Across the Web
Add certificates to a keychain using Keychain Access on Mac
In Keychain Access on your Mac, you can add certificates to your keychain for quick access to secure websites and other resources.
Read more >Getting OS X to trust self-signed SSL certificates - Tosbourn
Drag your certificate into Keychain Access. Go into the Certificates section and locate the certificate you just added; Double click on it, enter...
Read more >Why won't Safari open that web page?
Open the Keychain Access app and drag that file into the System folder of that app. Find the ISRG Root X1 certificate in...
Read more >How to Fix the NET::ERR_CERT_AUTHORITY_INVALID Error
Even if you do have an SSL certificate installed on your website, your users may run ... Using a self-signed certificate can save...
Read more >How to get HTTPS working on your local development ...
Open Keychain Access on your Mac and go to the Certificates category in your System keychain. Once there, import the rootCA.pem using File...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for the help! We’re using Sontatype Nexus as Docker registry and we used pretty much default configuration. I’ll look into their docs to figure out how to reconfigure it to actually redirect to https. I’ll let you. know if I had any progress with the KeychainStore. Cheers!
Update 1: I’ve just found out that the Nexus is using HTTP and we have a reverse proxy in front of it to do the SSL offloading. This is probably what is causing the issue.
Update 2: We’ve reconfigured Neuxs to use HTTPS and it works now. Thanks for the help!
Hi @chanseokoh , no, unfortunately, I have no clue. I thought it’s maybe OpenJDK vs Oracle Java thing, but it didn’t work on both versions for me. Somewhere I found information that with KeychainStore you can’t access all your certificates and passwords (only those that are assigned to your user), it’s somehow limited but I’m not sure how it works exactly.
PS. I’ve just opened a question on StackOverflow, maybe somebody will provide some clues.