服务无法识别将自签名证书导入 Docker 的 JRE cacert [英] Importing self-signed cert into Docker's JRE cacert is not recognized by the service

问题描述

• 一个 Java 服务在 Docker 容器内运行，它访问外部 HTTPS url，其自签名证书对服务/JRE cacert 密钥库不可用，因此连接失败.
• 因此将 HTTPS 外部 URL 的自签名证书导入到 Docker 容器的 JRE cacert 密钥库中.(检查 $JAVA_HOME 环境变量后)
• 重新启动 Docker 容器(使用 docker restart 命令)，希望服务也重新启动并从 JRE cacert 中选择更改.但这并没有发生，Java 服务仍然无法访问外部 HTTPS URL.

• A Java Service is running inside the Docker container, which access the external HTTPS url and its self-sign certificate is unavailable to the service/ JRE cacert keystore and therefore connection fails.
• Hence imported the self-signed certificate of HTTPS external URL into Docker container's JRE cacert keystore. (after checking the $JAVA_HOME env. variable)
• Restarted the Docker container (using docker restart command), hoping that the service is also get restarted and pick the changes from JRE cacert. But this didn't happen, the Java service still fails to access external HTTPS URL.

知道在 Docker 容器内运行的 Java 服务如何通过新证书导入来选择 JRE cacert 更改吗?

Any idea how a Java service running inside the Docker container pick the JRE cacert changes with new certificate import?

推荐答案

因此将 HTTPS 外部 URL 的自签名证书导入到 Docker 容器的 JRE cacert 密钥库中.

Hence imported the self-signed certificate of HTTPS external URL into Docker container's JRE cacert keystore.

否:您需要将其导入到运行容器的 Docker 镜像中.

No: you need to import it into the Docker image from which you run your container.

将其导入容器只会创建一个 临时可写数据层，当你重启容器时会被丢弃.

Importing it into the container would only create a temporary writable data layer, which will be discarded when you restart your container.

类似于这个答案:

USER root
COPY ldap.cer $JAVA_HOME/jre/lib/security
RUN 
    cd $JAVA_HOME/jre/lib/security 
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldap.cer

这篇关于服务无法识别将自签名证书导入 Docker 的 JRE cacert的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！