JDK 10 modules and sun.security.provider.certpath.SunCertPathBuilderException

Question

I use to run my application on the openjdk:10-slim docker image and everything was working fine.

Then I migrated to a custom JDK built with Jlink using the following dockerfile:

FROM openjdk:10-jdk-slim AS jdkBuilder

RUN $JAVA_HOME/bin/jlink \
--module-path /opt/jdk/jmods \
--verbose \
--add-modules java.base,java.logging,java.xml,java.xml.bind,java.sql,jdk.unsupported,java.naming,java.desktop,java.management,java.security.jgss,java.security.sasl,jdk.crypto.cryptoki,jdk.crypto.ec,java.instrument,jdk.management.agent \
--output /opt/jdk-minimal \
--compress 2 \
--no-header-files


FROM debian:9-slim
COPY --from=jdkBuilder /opt/jdk-minimal /opt/jdk-minimal

ENV JAVA_HOME=/opt/jdk-minimal
COPY target/*.jar /opt/

CMD $JAVA_HOME/bin/java $JAVA_OPTS -jar /opt/*.jar

That mostly works fine too expect for when I use the AWS S3 SDK in which case I get the following exception:

com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I'm guessing that those certificates (or ways of accessing them) are provided by one missing package which I'm not including.

I did some digging and couldn't find any information about that. I tried adding any module that could be related to security or SSL but I without luck.

Has anyone encountered this issue and know which module need to be added? As a workaround I reverted back to openjdk:10-slim but I would like to use jlink as it makes my image smaller

Answer 1

Exception suggests that your environment is missing some root certificates.

Try copying cacerts from openjdk:10-slim to JDK you are using.