Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-20692

Artifactory Pro Docker Image Not Allowing Inclusion Of Additional Certificates

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: 6.15.0
    • Fix Version/s: None
    • Component/s: Docker Image
    • Environment:

      Running on a CentOS 7 instance via Docker using AWS ECS 

      Description

      When launching Artifactory Pro 6.15.0 as a Docker container, I am mounting certificates into /artifactory_extra_certs

       

      The entrypoint script attempts to add certificates in that directory to the default Java keystore in the image. 

       

      The attempt fails because the keystore is owned by root.

      An example from ECS output logs:

      2019-11-22 20:48:15 [711 entrypoint-artifactory.sh] Adding extra certificates to Java keystore if exist
      2019-11-22 20:48:16 [726 entrypoint-artifactory.sh] Adding /artifactory_extra_certs/chsroot.crt to Java cacerts
      Certificate was added to keystore
      keytool error: java.io.FileNotFoundException: /java/jdk-11.0.2+9/lib/security/cacerts (Permission denied)
      2019-11-22 20:48:16 [54 entrypoint-artifactory.sh] WARNING: Adding /artifactory_extra_certs/chsroot.crt failed!
      2019-11-22 20:48:17 [726 entrypoint-artifactory.sh] Adding /artifactory_extra_certs/doiroot.crt to Java cacerts
      Certificate was added to keystore
      keytool error: java.io.FileNotFoundException: /java/jdk-11.0.2+9/lib/security/cacerts (Permission denied)
      2019-11-22 20:48:17 [54 entrypoint-artifactory.sh] WARNING: Adding /artifactory_extra_certs/doiroot.crt failed!
      
      

       

      I have the same issue if I get onto the running container and try the same command manually:

      /java/jdk-11.0.2+9/bin/keytool -importcert -trustcacerts -noprompt -cacerts -storepass changeit -file chsroot.crt -alias chsroot
      Certificate was added to keystore
      keytool error: java.io.FileNotFoundException: /java/jdk-11.0.2+9/lib/security/cacerts (Permission denied)
      
      

      If, in the running container, I copy /java/jdk-11.0.2+9/lib/security/cacerts to /home, the permissions on it changes to the artifactory user. If I try to add my certificate to the local cacerts file owned by artifactory, this works.

       

      artifactory@bf85eb67a5e5:~$ cp /java/jdk-11.0.2+9/lib/security/cacerts .
      artifactory@bf85eb67a5e5:~$ ls -al
      total 236
      drwx------ 1 artifact artifact 79 Nov 22 21:45 .
      drwxr-xr-x 1 root root 71 Nov 22 20:48 ..
      -rw------- 1 artifact artifact 2122 Nov 22 21:40 .bash_history
      -rw-r--r-- 1 artifact artifact 102883 Nov 22 21:45 cacerts
      -rw-r--r-- 1 artifact artifact 730 Nov 22 21:39 chsroot.crt
      -rw-r--r-- 1 artifact artifact 125604 Nov 22 21:34 output.txt
      artifactory@bf85eb67a5e5:~$ /java/jdk-11.0.2+9/bin/keytool -importcert -keystore ./cacerts -trustcacerts -noprompt -storepass changeit -file chsroot.crt -alias chsroot
      Certificate was added to keystore

       

      So it would seem as though the instructions in the Overview for adding your own cacerts to the java keystore don't work as expected.

       

      Am I missing something?

       

      The only workaround I can think of at this point is to mount my own cacerts file that I've already added my root certs to into the container and add extra java options to point to it. I can probably even copy down the cacerts from the docker image and perform the add locally.

       

      But it would seem to me that this is not the expected behavior of having the /artifactory_extra_certs directory

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            isuftin Ivan Suftin
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: