Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Docker RUN with keytool import to Java truststore successful but fails at the same time during image build?

Tags:

docker

keytool

cacerts

I have to add a custom root certificate to the Java trust store inside a docker environment. So I added the following command to my dockerfile:

RUN $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt

I get the following output when building the docker image:

Step 10/10 : RUN $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt
 ---> Running in cbc2a547797e
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /opt/java/openjdk/jre/lib/security/cacerts (No such file or directory)
The command '/bin/sh -c $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt' returned a non-zero code: 1

I'm baffled by the following facts:

  • the output Certificate was added to keystore seems to indicate a successful execution of keytool
  • at the same time, I get keytool error and a non-zero return-code, so no success
  • the file that is claimed not to exist, does in fact exist (could it be an access problem?)

What I've checked:

  • %JAVA_HOME seems to be available, as the error message displays the correct path
  • When I build the image without above RUN command, then issue the exact same command inside the docker container, it works perfectly
  • I checked the same using /bin/sh as the shell to make sure it's not the shell - worked
  • There's no dependency on the current directory, as all pathes are absolute

Now I don't have any more ideas how to track this issue down.

like image 559
not2savvy Avatar asked Nov 04 '25 20:11

not2savvy

1 Answers

It is probably a permission issue, what I'm guessing is that the base image you use changed the user from root and you need to be root to access the file. You should be able to do the following :

USER root
RUN $JAVA_HOME/bin/keytool -import -file /opt/custom/certs/mycert.pem -alias mycert -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts -storepass changeit -noprompt
USER originaluser

You can find the original user by using:

docker history yourbaseimagename:tag
like image 134
jeanpic Avatar answered Nov 07 '25 11:11

jeanpic
Sign in to Comment

Related questions

Rename Docker Volume on Docker Desktop

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!