runtime certificates loading for truststore

[neoludo]

HI there,

I've followed instructions at https://paketo.io/docs/howto/configuration/#ca-certificates to add certificates at runtime.
I can see that log at startup :
Added 3 additional CA certificate(s) to system truststore

But when I'm listing certificates from inside my app, I dont see the 3 added certificates...
It seems that build-time truststore is used....
I should have missed a step.

Can anyone help me, plz ?

Thanks
Ludo

[sdeleuze]

You may find the answer in paketo-buildpacks/graalvm#66, please let us know how it goes, happy to improve the documentation if needed.

[matthyx]

@sdeleuze I think @neoludo wants to load the truststore at runtime, as recently added to graalvm:
https://www.graalvm.org/reference-manual/native-image/CertificateManagement/#run-time-options

[sdeleuze]

Thanks for the link @matthyx, I was missed the fact it was properly documented now. I think such documentation on native image official documentation is good enough so I close this issue.

[matthyx]

@sdeleuze hmm, not sure as it's not clear to me how you can specify javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to the native image from the container image.

One solution is to override the container entrypoint and/or arguments, but it's against the whole buildpack philosophy, isn't it?

[sdeleuze]

Ok let's discuss that with @scottfrederick and @dmikusa-pivotal then.

[matthyx]

Ok let's discuss that with @scottfrederick and @dmikusa-pivotal then.

Do you mean in this issue?

[dmikusa]

If you want to send additional arguments to the native-image command at build time, you can do that by setting $BP_NATIVE_IMAGE_BUILD_ARGUMENTS. Your arguments are augmented by the buildpack which adds the following information (you don't need/want to include this manually):

1. When on the tiny stack, -H:+StaticExecutableWithDynamicLibC will be appended to your custom argument list.
2. -H:Name= is appended to the custom argument list where the value is set as the full path to the start class
3. -cp is set with the full classpath
4. The start class is added to the end of the command

If you want to supply arguments at runtime, you can do that using these instructions. This will let you pass additional arguments to the default command used to run your application.

---

In terms of javax.net.ssl.trustStore we don't generally recommend setting this value directly for Java applications running on a JVM. If you follow the recommended instructions for adding trusted CA certificates, this will result in the certificates being added to the default system truststore, i.e. /etc/ssl/certs/ca-certificates.crt and to the default truststore for the JVM.

In terms of native image builds, I think this advice would apply as well (I'm open to discussing this though as native image is new). The additional trusted certificates should be loaded into the JVM truststore when the JVM and native-image tool are installed. This means that they should be present, which according to the docs should be sufficient:

During the image building process, the native-image builder captures the host environment’s default TrustStore and embeds it into the native executable.

When I last checked this on paketo-buildpacks/graalvm#66 things just worked. I haven't tried this lately though, so if it's not working. Let's take a look and see what's happening. To do that, please include the full output from your build plus any build config (i.e. env variables, buildpack ordering, that you're customizing).

That said, I see no reason why setting the arguments would be a problem. You'd need to use the options above to pass those additional arguments through at run/build time as required by native-image. Please give that a try and let me know how things go.

[matthyx]

please ignore, this was answered too quickly without full context
@dmikusa-pivotal please note we're talking about RUNTIME arguments.
I think @neoludo wants to avoid overriding ENTRYPOINT and CMD in the resulting image in case paketo sets something special during build.

[matthyx]

@dmikusa-pivotal, after reading on my laptop (rather than my mobile) I see what you mean... apologizes.

If you follow the recommended instructions for adding trusted CA certificates, this will result in the certificates being added to the default system truststore, i.e. /etc/ssl/certs/ca-certificates.crt and to the default truststore for the JVM.

@neoludo already played with https://github.com/paketo-buildpacks/ca-certificates and at runtime it can add trusted certificates to the system truststore...
The issue is that in native mode it only creates /etc/ssl/certs/ca-certificates.crt and no JKS... which substrateVM doesn't handle (despite my suggestion).

So I think we need to modify the buildpack to generate a JKS and inject the required arguments for using it.

[dmikusa]

The issue is that in native mode it only creates /etc/ssl/certs/ca-certificates.crt and no JKS... which substrateVM doesn't handle (despite my suggestion).

I agree. I added an issue under the native image repo to track this for us. We'll look into this more.

[matthyx]

Thanks @dmikusa-pivotal !

[sdeleuze]

Should I close this issue ?

[matthyx]

@sdeleuze I agree this issue is more related to a change in the buildpack... we can close this but let's hope @dmikusa-pivotal work goes to completion.