Inclusion of JRE certificates fails with Oracle Java (wrong path for cacerts)

[mayrstefan]

We use a customized version of the java offline buildpack with Oracle Java instead of OpenJDK. The buildpack fails to stage since we upgraded from version 3.12 to 3.15

-----> Downloading Container Certificate Trust Store 2.0.0_RELEASE from https://java-buildpack.cloudfoundry.org/container-certificate-trust-store/container-certificate-trust-store-2.0.0_RELEASE.jar (found in cache)
       Adding certificates to .java-buildpack/container_certificate_trust_store/truststore.jks
Command '/tmp/app/.java-buildpack/oracle_jre/bin/java -jar /tmp/app/.java-buildpack/container_certificate_trust_store/container_certificate_trust_store-2.0.0_RELEASE.jar --container-source /etc/ssl/certs/ca-certificates.crt --destination /tmp/app/.java-buildpack/container_certificate_trust_store/truststore.jks --destination-password java-buildpack-trust-store-password --jre-source /tmp/app/.java-buildpack/oracle_jre/lib/security/cacerts --jre-source-password changeit' has failed
STDOUT:
STDERR: Exception in thread "main" java.nio.file.NoSuchFileException: /tmp/app/.java-buildpack/oracle_jre/lib/security/cacerts
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
        at java.nio.file.Files.newByteChannel(Files.java:361)
        at java.nio.file.Files.newByteChannel(Files.java:407)
        at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
        at java.nio.file.Files.newInputStream(Files.java:152)
        at org.cloudfoundry.certificate.ContainerCertificateTrustStoreBuilder.addJreCertificates(ContainerCertificateTrustStoreBuilder.java:55)
        at org.cloudfoundry.certificate.ContainerCertificateTrustStoreBuilder.createTrustStore(ContainerCertificateTrustStoreBuilder.java:72)
        at org.cloudfoundry.certificate.ContainerCertificateTrustStoreBuilder.main(ContainerCertificateTrustStoreBuilder.java:36)
[Buildpack]                      ERROR Compile failed with exception RuntimeError
 Failed to compile droplet

I would say this was introduced with JRE truststore inclusion in 3.13

Oracle places cacerts in jre/lib/security instead of lib/security.
The buildpack code is missing to things:

• an alternate cacerts location for Oracle java
• an error handling when it cannot find the cacerts file instead of failing the whole staging process

Our current workaround extracts the cacerts file from Oracle Java and places it into the buildpack filesystem overlay for lib/security.

[nebhale]

The problem is that you've customized your version of the buildpack to use the Oracle JDK, not the Oracle JRE. The buildpack has only ever supported the JRE (specifically excluding compilation abilities in the container). If you provide a JRE instead of a JDK this will work.

I'll keep this issue open to improve the failure mode, but I do plan to continue to fail staging on a missing JRE_ROOT/lib/security/cacerts.

[mayrstefan]

Good point. We are using Oracle Server JRE which uses the same directory structure as the JDK. I've just checked all three variants for comparison (latest Java 8 U131):

• JRE: lib/security/cacerts
• Server-JRE: jre/lib/security/cacerts
• JDK: jre/lib/security/cacerts

The documentation gave no hint the server jre is not supported. It is specially mentioned for the JCE Unlimited Strengh JARs. Although this special directory structure is missing in the paragraph for including the cacerts file.

[nebhale]

Fair point. I'll add support for the Server JRE location.