spring boot bootBuildImage paketo ssl cert location?

Question

TLDR: spring boot gradle bootBuildImage task fails with x509 cert validation error (due to zscaler). Where to add the root cert?

Info

We're using spring boot's (2.3) new "bootBuildImage" to build docker images.

Recently our IT group turned on "zscaler everywhere" which effectively routes all http and https traffic through a company-blessed 'man in the middle' , i.e. which use DNS to 'gateway/checkpoint' network traffic

Error

Aft this change, gradle fails with X509 certificate validation error:

2021-03-01T08:40:42.120-0600 [QUIET] [system.out]     [creator]     unable to request https://repo.
spring.io/release/org/springframework/cloud/spring-cloud-bindings/1.7.0/spring-cloud-bindings-1.7.0
.jar
2021-03-01T08:40:42.120-0600 [QUIET] [system.out]     [creator]     Get "https://repo.spring.io/release/org/springframework/cloud/spring-cloud-bindings/1.7.0/spring-cloud-bindings-1.7.0.jar": x509: certificate signed by unknown authority
202

More Context

• Spring boot 3.7
• Gradle
• Mac
• Docker desktop
• Fails specifically on spring-cloud-bindings

Question

• How to get past x509 ssl cert validation error?

I understand that should be able to install the zscaler root cert in a trust store, but am unclear which trust store?? (and where on the filesystem?)

• docker
• paketo

I'm unclear why 'spring cloud download' fails, but other downloads succeed, i.e. this download succeeds:

2021-03-01T08:40:34.790-0600 [QUIET] [system.out]     [creator]       BellSoft Liberica JRE 8.0.282
: Contributing to layer
2021-03-01T08:40:34.790-0600 [QUIET] [system.out]     [creator]         Downloading from https://github.com/bell-sw/Liberica/releases/download/8u282+8/bellsoft-jre8u282+8-linux-amd64.tar.gz
2021-03-01T08:40:38.913-0600 [QUIET] [system.out]     [creator]         Verifying checksum

thanks in advance!

Answer 1

Similar issues has been reported on Github, like this one related with Spring Cloud, and especially this other, in the Spring Boot project.

As explained in the last mentioned issue, at the moment probably the best solution will be to customize the image that should be used in the build process, as explained in this comment in a related Github issue.

The idea is generate a new image with the necessary certificates configured, and use it as your builder base (copied from the indicated comment as an example):

FROM gcr.io/paketo-buildpacks/builder:base

USER root

ADD server.crt /usr/local/share/ca-certificates/server.crt
RUN chmod 644 /usr/local/share/ca-certificates/server.crt \
 && update-ca-certificates

USER cnb

This customized image will be the one used by Spring Boot in your build task. Please, see the relevant documentation.

The above-mentioned issue indicates as well, just only a couple of days ago, that the latest Spring Boot snapshot version include the bindings feature that will allow you to add custom certificates to the builder container with the Maven and Gradle plugins. This feature will be available in the 2.5.0-M3 Spring Boot milestone, on March 18th.