Dockerfile密钥工具:获取“证书别名< name>已经存在"甚至使用"keytool-delete" [英] Dockerfile keytool: getting "Certificate alias <name> already exists" even using "keytool - delete"
问题描述
我使用Dockerfile为需要HTTPS的Web应用程序创建图像.但是,我遇到了Certificate not imported, alias <my-cert-name> already exists Java异常.当我尝试不使用Dockerfile时(仅从命令行),便能够删除现有别名,并且export,import起作用.但Dockerfile则不行.有任何想法吗?谢谢!
I use Dockerfile to create an image for our web app which requires HTTPS. However, I am getting Certificate not imported, alias <my-cert-name> already exists Java exception. When I tried without using Dockerfile, just from command line, I was able to delete the existing alias and export, import worked. But not with Dockerfile. Any ideas? Thanks!
Dockerfile:
Dockerfile:
FROM openjdk:8-alpine
#Starting https and certs configuration
#Make directory for certs inside the container
RUN mkdir -p usr/app/ssl/certs/
#Copy certs from local to the container
COPY myWebApp/src/main/resources/PT/certificates/my-cert-name.jks usr/app/ssl/certs/
COPY myWebApp/src/main/resources/PT/certificates/trustStore.jks usr/app/ssl/certs/
#Export/Import certificate
RUN cd usr/app/ssl/certs/ && \
keytool -delete -alias my-cert-name -keystore my-cert-name.jks -storepass password123! && \
keytool -export -alias my-cert-name -keystore my-cert-name.jks -file my-cert-name.crt -storepass password123! && \
keytool -importcert -keystore trustStore.jks -alias my-cert-name -storepass password123! -file my-cert-name.crt -noprompt
#Ending https and certs configuration
RUN mkdir -p /usr/app/myweb
COPY myWebApp/target/myWeb.war /usr/app/myweb
CMD java -Xms512M -Xmx6144M -XX:MaxMetaspaceSize=3072M -jar /usr/app/myweb/myWeb.war
EXPOSE 8080
Docker构建命令
Docker build command
>docker build -it test-https-image .
环境:
Using Docker desktop on windows 10.
提前谢谢!
推荐答案
我更喜欢这种表示法:
RUN cd usr/app/ssl/certs/ && \
keytool -delete -alias my-cert-name -keystore my-cert-name.jks -storepass password123! && \
keytool -export -alias my-cert-name -keystore my-cert-namet.jks \
-file my-cert-name.crt -storepass password123! && \
keytool -importcert -keystore trustStore.jks -alias my-cert-name -storepass password123! \
-file my-cert-name.crt -noprompt
仔细检查您要导入的名称是否更容易.
(因为-delete是强制更新现有证书的好方法)
It is easier to double-check you are importing the same name you have deleted.
(since -delete is a good way to force update an existing certificate)
但是要点是:
- 在
trustStore.jks中导入时在my-cert-name.jks中删除. - 如果导入失败,则表示
trustStore.jks已经具有该名称的证书
- you delete in
my-cert-name.jks, while you import intrustStore.jks. - if the import fails, that means
trustStore.jksalready has a certificate for that name
如果该证书已在复制的密钥库中已,则我不会导出/重新导入它. (我只将其导入我之前的答案)
If that certificate was already in the copied keystore, I would not export/re-import it. (I only imported it in my previous answer)
确保"usr/app/ssl/certs"是正确的路径:我宁愿使用绝对路径,而不是相对路径.
Make sure the "usr/app/ssl/certs" is the right path: I would rather use an absolute path, rather than a relative path.
OP fongfong 确认
我应该从 I should delete the existing alias from 这篇关于Dockerfile密钥工具:获取“证书别名< name>已经存在"甚至使用"keytool-delete"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!trustStore.jks中删除现有别名,而不是从my-cert-name.jks
trustStore.jks, not my-cert-name.jks
