Forcing Jib to use Mac OS X Keychain Store with self-signed certificate imported
See original GitHub issueEnvironment:
- Jib version: 2.2.0
- Build tool:
mvn --version
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /usr/local/Cellar/maven/3.6.3_1/libexec
Java version: 11.0.7, vendor: AdoptOpenJDK, runtime: /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home
Default locale: en_CH, platform encoding: UTF-8
OS name: "mac os x", version: "10.15.1", arch: "x86_64", family: "mac"
- OS: Mac OS X Catalina (10.15.1)
Description of the issue:
I’m trying to build an image (based on gcr.io/distroless/java:11-debug
) and push it to my company’s private registry.
It works if I ignore TLS:
mvn -B compile com.google.cloud.tools:jib-maven-plugin:build -Djib.allowInsecureRegistries=true -DsendCredentialsOverHttp=true
It works over https if I build and push identical image with a Dockerfile.
But when I try to force the maven/jib to pick up the certificates from the Keychain (using -Djavax.net.ssl.trustStoreType=KeychainStore
), then it fails, complaining that it can’t get the certificate for gcr.io. I don’t use any proxy, so I don’t understand why it doesn’t work - just like with Dockerfile.
Expected behavior: Maven/Jib should pick up the certificate and the image should be pushed to the registry over https.
Steps to reproduce:
- Get a private docker registry with a self-signed certificate for https
- Try to push to it an image using Mac OS X’s KeychainStore certificates
- Fail
jib-maven-plugin
Configuration:
<build>
<plugins>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>${jib.maven-plugin-version}</version>
<configuration>
<from>
<image>gcr.io/distroless/java:11-debug</image>
</from>
<to>
<image>docker-repo.bananas.xyz/sysadmin/skaffold-java-example</image>
</to>
</configuration>
</plugin>
</plugins>
</build>
Log output:
$ mvn -B compile com.google.cloud.tools:jib-maven-plugin:build -Djavax.net.ssl.trustStoreType=KeychainStore
[INFO] Scanning for projects...
[INFO]
[INFO] ----------------------< com.example:spring-boot >-----------------------
[INFO] Building spring-boot 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:3.1.0:resources (default-resources) @ spring-boot ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/tomasz/Development/skaffold-java-example/src/main/resources
[INFO] skip non existing resourceDirectory /Users/tomasz/Development/skaffold-java-example/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ spring-boot ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- jib-maven-plugin:2.2.0:build (default-cli) @ spring-boot ---
[INFO]
[INFO] Containerizing application to docker-repo.bananas.xyzsysadmin/skaffold-java-example...
[WARNING] Base image 'gcr.io/distroless/java:11-debug' does not use a specific image digest - build may not be reproducible
[INFO] Getting manifest for base image gcr.io/distroless/java:11-debug...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Using credentials from Docker config (/Users/tomasz/.docker/config.json) for docker-repo.bananas.xyz/sysadmin/skaffold-java-example
[ERROR] I/O error for image [gcr.io/distroless/java]:
[ERROR] javax.net.ssl.SSLHandshakeException
[ERROR] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.119 s
[INFO] Finished at: 2020-05-20T23:13:42+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.2.0:build (default-cli) on project spring-boot: Build image failed: Failed to authenticate with registry docker-repo.bananas.xyz/sysadmin/skaffold-java-example because: insecure HTTP connection not allowed: http://docker-repo.bananas.xyz/v2/token?service=http://docker-repo.bananas.xyz/v2/token&scope=repository:sysadmin/skaffold-java-example:pull,push -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Additional information Dockerfile that works fine:
FROM openjdk:11-jdk AS builder
WORKDIR target/dependency
ARG APPJAR=target/*.jar
COPY ${APPJAR} app.jar
RUN jar -xf ./app.jar
FROM gcr.io/distroless/java:11-debug
VOLUME /tmp
ARG DEPENDENCY=target/dependency
COPY --from=builder ${DEPENDENCY}/BOOT-INF/lib /app/lib
COPY --from=builder ${DEPENDENCY}/META-INF /app/META-INF
COPY --from=builder ${DEPENDENCY}/BOOT-INF/classes /app
ENTRYPOINT ["java","-cp","app:app/lib/*","com.example.springboot.Application"]
Thanks in advance for help.
Issue Analytics
- State:
- Created 3 years ago
- Comments:14 (6 by maintainers)
Top GitHub Comments
Thanks for the help! We’re using Sontatype Nexus as Docker registry and we used pretty much default configuration. I’ll look into their docs to figure out how to reconfigure it to actually redirect to https. I’ll let you. know if I had any progress with the KeychainStore. Cheers!
Update 1: I’ve just found out that the Nexus is using HTTP and we have a reverse proxy in front of it to do the SSL offloading. This is probably what is causing the issue.
Update 2: We’ve reconfigured Neuxs to use HTTPS and it works now. Thanks for the help!
Hi @chanseokoh , no, unfortunately, I have no clue. I thought it’s maybe OpenJDK vs Oracle Java thing, but it didn’t work on both versions for me. Somewhere I found information that with KeychainStore you can’t access all your certificates and passwords (only those that are assigned to your user), it’s somehow limited but I’m not sure how it works exactly.
PS. I’ve just opened a question on StackOverflow, maybe somebody will provide some clues.