How to add SSL certificates to Tomcat in Docker co

2020-06-03 01:42发布

站内问答 / Java
1855 3 4

I'm new to Docker and trying to learn it. I'm using Docker Quickstart Terminal on Windows 7. I've a simple requirement where I'm using Tomcat in a Docker container. My DockerFile is as following:

FROM tomcat:8.0.47-jre7
RUN cd /usr/local/tomcat/webapps
COPY test.war /usr/local/tomcat/webapps/test.war

Then I issue simple build and run commands in the Docker console.

test.war is a Java web-service. This web-service internally calls other web-services on remote hosts using HTTPS. I've the certs for the remote hosts.

I tried several ways available on the internet to import or copy those certs to different locations as mentioned on different forums/blogs, but in vain. Whenever I use HTTPS to call the external web-service from test.war, it gives me SSL Handshake error.

I also have a Java keystore. I tried to use Java also in my Docker file and tried to use the keystore, but again, in vain.

When I use the same test.war on the tomcat installed directly on my machine, it works absolutely fine.

Can someone help me by providing the steps to be able to import/use SSL certs/keystore in this scenario. Also, how can I import more than one certs?

3条回答
劳资没心,怎么记你
2楼-- · 2020-06-03 02:39

You can try importing the certificate into jvm trusted store inside docker.

I've the certs for the remote hosts.

You can use these certificates but in fact you don't need them, you only need the root certificate of the authority that issued the certificates. You can download it from the internet.

Usually they are given in pem format, but you'll need der for jvm.

First you need to convert the certificate:

openssl x509 -in ca.pem -inform pem -out ca.der -outform der

Then install it into jvm keystore:

keytool -importcert -alias startssl -keystore \
    $JAVA_HOME/lib/security/cacerts -storepass changeit -file ca.der

This command asks if you really want to add the certificate, you shoudl type "yes".

And all together in a Dockerfile:

FROM tomcat:8.0.47-jre7

COPY ca.pem ca.pem

RUN openssl x509 -in ca.pem -inform pem -out ca.der -outform der

RUN echo yes | keytool -importcert -alias startssl -keystore \
    /docker-java-home/jre/lib/security/cacerts -storepass changeit -file ca.der 

COPY test.war /usr/local/tomcat/webapps/test.war

WORKDIR /usr/local/tomcat/webapps

Note: if you already have certificate in der format you don't need openssl call, just copy the certificate directly.

To verify that the certificate is really applied you can run the container, ssh into it 

$ docker exec -it <CONTAINER-ID> bash

and check the keystore:

$ keytool -keystore "/docker-java-home/jre/lib/security/cacerts" -storepass changeit -list | grep <NAME-OF-YOUR-CERT-AUTHORITY>
查看更多
0人赞 添加讨论(0) 举报
ゆ 、 Hurt°
3楼-- · 2020-06-03 02:42

=> Use classpath:/some/location/cerkey.jks in case of Docker location, to refer the docker instance.

=> Use file:/some/location/cerkey.jks in case of host location, where the docker is running.

Hint: Value of server.ssl.key-store

查看更多
0人赞 添加讨论(0) 举报
太酷不给撩
4楼-- · 2020-06-03 02:46

For Java apps in RHEL/Centos images, you can use update-ca-trust, which will update your trust stores for you, from files you place into /etc/pki/ca-trust. It also accepts .pem files directly:

FROM ...

USER root
COPY yourcertificate.pem /etc/pki/ca-trust/source/anchors/yourcertificate.pem
RUN update-ca-trust

This will update /etc/pki/java/cacerts for you automatically, so that Java will trust the new certificate.

Or, if your cert is hosted on a web server, then you can use curl to download it instead of copying the file - for example:

RUN curl -k https://badssl.com/certs/ca-untrusted-root.crt -o /etc/pki/ca-trust/source/anchors/ca-untrusted-root.crt && \
    update-ca-trust
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)