Adding ca-certificates to a Tomcat Docker container run with a designated user











up vote
0
down vote

favorite












I have a Docker volume mounted directly to the /usr/local/share/ca-certificates -folder.



certificate-folder:/usr/local/share/ca-certificates:ro


I'm using Tomcat for this setup, but a similar issue could be encountered with other frameworks as well. Base of the Dockerfile is like this:



FROM       tomcat:8.5-jre8

# other Dockerfile configuration

CMD ["/start.sh"]


With start.sh containing key lines



#!/usr/bin/env bash

update-ca-certificates 

# other startup related tasks

catalina.sh run


Issue with this setup is that it works as long as I'm running the container as root user. However, if I try to change to a designated user at the end of the Dockerfile with something like this



ENV TOMCAT_USER="tomcat" 

    TOMCAT_UID="8080" 

    TOMCAT_GROUP="tomcat" 

    TOMCAT_GID="8080"

RUN groupadd -r --gid $TOMCAT_GID $TOMCAT_GROUP && 

    useradd -r --uid $TOMCAT_UID --gid $TOMCAT_GID $TOMCAT_USER

RUN chown -R $TOMCAT_USER:$TOMCAT_GROUP /usr/local/tomcat

USER $TOMCAT_USER


So:




  • Because the shell script is being run as $TOMCAT_USER, it can't run "update-ca-certificates" to install the certificates.

  • Because certificates aren't added inside Dockerfile, update-ca-certificates can't be run inside Dockerfile.


Because of this I'm eventually getting SSL issues like this



javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


So what would be the correct way to approach this kind of issue if I still wish to run the container as a designated $TOMCAT_USER?






docker ssl tomcat ssl-certificate dockerfile







share|improve this question


























    up vote
    0
    down vote

    favorite












    I have a Docker volume mounted directly to the /usr/local/share/ca-certificates -folder.



    certificate-folder:/usr/local/share/ca-certificates:ro


    I'm using Tomcat for this setup, but a similar issue could be encountered with other frameworks as well. Base of the Dockerfile is like this:



    FROM       tomcat:8.5-jre8
    
# other Dockerfile configuration
    
CMD ["/start.sh"]


    With start.sh containing key lines



    #!/usr/bin/env bash
    
update-ca-certificates 
    
# other startup related tasks
    
catalina.sh run


    Issue with this setup is that it works as long as I'm running the container as root user. However, if I try to change to a designated user at the end of the Dockerfile with something like this



    ENV TOMCAT_USER="tomcat" 
    
    TOMCAT_UID="8080" 
    
    TOMCAT_GROUP="tomcat" 
    
    TOMCAT_GID="8080"
    
RUN groupadd -r --gid $TOMCAT_GID $TOMCAT_GROUP && 
    
    useradd -r --uid $TOMCAT_UID --gid $TOMCAT_GID $TOMCAT_USER
    
RUN chown -R $TOMCAT_USER:$TOMCAT_GROUP /usr/local/tomcat
    
USER $TOMCAT_USER


    So:




    • Because the shell script is being run as $TOMCAT_USER, it can't run "update-ca-certificates" to install the certificates.

    • Because certificates aren't added inside Dockerfile, update-ca-certificates can't be run inside Dockerfile.


    Because of this I'm eventually getting SSL issues like this



    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
    
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


    So what would be the correct way to approach this kind of issue if I still wish to run the container as a designated $TOMCAT_USER?






    docker ssl tomcat ssl-certificate dockerfile







    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a Docker volume mounted directly to the /usr/local/share/ca-certificates -folder.



      certificate-folder:/usr/local/share/ca-certificates:ro


      I'm using Tomcat for this setup, but a similar issue could be encountered with other frameworks as well. Base of the Dockerfile is like this:



      FROM       tomcat:8.5-jre8
      
# other Dockerfile configuration
      
CMD ["/start.sh"]


      With start.sh containing key lines



      #!/usr/bin/env bash
      
update-ca-certificates 
      
# other startup related tasks
      
catalina.sh run


      Issue with this setup is that it works as long as I'm running the container as root user. However, if I try to change to a designated user at the end of the Dockerfile with something like this



      ENV TOMCAT_USER="tomcat" 
      
    TOMCAT_UID="8080" 
      
    TOMCAT_GROUP="tomcat" 
      
    TOMCAT_GID="8080"
      
RUN groupadd -r --gid $TOMCAT_GID $TOMCAT_GROUP && 
      
    useradd -r --uid $TOMCAT_UID --gid $TOMCAT_GID $TOMCAT_USER
      
RUN chown -R $TOMCAT_USER:$TOMCAT_GROUP /usr/local/tomcat
      
USER $TOMCAT_USER


      So:




      • Because the shell script is being run as $TOMCAT_USER, it can't run "update-ca-certificates" to install the certificates.

      • Because certificates aren't added inside Dockerfile, update-ca-certificates can't be run inside Dockerfile.


      Because of this I'm eventually getting SSL issues like this



      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
      
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


      So what would be the correct way to approach this kind of issue if I still wish to run the container as a designated $TOMCAT_USER?






      docker ssl tomcat ssl-certificate dockerfile







      share|improve this question













      I have a Docker volume mounted directly to the /usr/local/share/ca-certificates -folder.



      certificate-folder:/usr/local/share/ca-certificates:ro


      I'm using Tomcat for this setup, but a similar issue could be encountered with other frameworks as well. Base of the Dockerfile is like this:



      FROM       tomcat:8.5-jre8
      
# other Dockerfile configuration
      
CMD ["/start.sh"]


      With start.sh containing key lines



      #!/usr/bin/env bash
      
update-ca-certificates 
      
# other startup related tasks
      
catalina.sh run


      Issue with this setup is that it works as long as I'm running the container as root user. However, if I try to change to a designated user at the end of the Dockerfile with something like this



      ENV TOMCAT_USER="tomcat" 
      
    TOMCAT_UID="8080" 
      
    TOMCAT_GROUP="tomcat" 
      
    TOMCAT_GID="8080"
      
RUN groupadd -r --gid $TOMCAT_GID $TOMCAT_GROUP && 
      
    useradd -r --uid $TOMCAT_UID --gid $TOMCAT_GID $TOMCAT_USER
      
RUN chown -R $TOMCAT_USER:$TOMCAT_GROUP /usr/local/tomcat
      
USER $TOMCAT_USER


      So:




      • Because the shell script is being run as $TOMCAT_USER, it can't run "update-ca-certificates" to install the certificates.

      • Because certificates aren't added inside Dockerfile, update-ca-certificates can't be run inside Dockerfile.


      Because of this I'm eventually getting SSL issues like this



      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
      
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


      So what would be the correct way to approach this kind of issue if I still wish to run the container as a designated $TOMCAT_USER?






      docker ssl tomcat ssl-certificate dockerfile




      docker ssl tomcat ssl-certificate dockerfile






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 21 at 13:26









      mpartan

      734522




      734522
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          As update-ca-certificates needs root permissions to update the certificates in /etc/ssl/certs, I only see three possible approaches (and one working solution − the third one below):




          1. Remove update-ca-certificates from your entrypoint and add a RUN update-ca-certificates command before the line USER $TOMCAT_USER. (However, you are using a volume which won't be available at build time, so this couldn't work…)


          2. Give sudo permissions (with no password) to your $TOMCAT_USER, and replace update-ca-certificates with sudo update-ca-certificates. (However, this solution may be unsatisfactory from a security perspective…)



          3. Remove USER $TOMCAT_USER from your Dockerfile; keep CMD ["/start.sh"], or ENTRYPOINT ["/start.sh"] if you prefer; and rely on the gosu tool, whose main use case precisely consists in downgrading from root to a non-privileged user, while enjoying better behavior than sudo w.r.t. TTY and signal forwarding.



            You'll just need to install gosu by doing for example:



            RUN apt-get update -y -q && 
            
  DEBIAN_FRONTEND=noninteractive 
            
  apt-get install -y -q --no-install-recommends gosu


            (as tomcat:8.5-jre8 is based on Debian) and use it by writing:




            start.sh




            #!/usr/bin/env bash
            
update-ca-certificates 
            
# other startup related tasks
            
gosu $TOMCAT_UID:$TOMCAT_GID catalina.sh run







          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413071%2fadding-ca-certificates-to-a-tomcat-docker-container-run-with-a-designated-user%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote













            As update-ca-certificates needs root permissions to update the certificates in /etc/ssl/certs, I only see three possible approaches (and one working solution − the third one below):




            1. Remove update-ca-certificates from your entrypoint and add a RUN update-ca-certificates command before the line USER $TOMCAT_USER. (However, you are using a volume which won't be available at build time, so this couldn't work…)


            2. Give sudo permissions (with no password) to your $TOMCAT_USER, and replace update-ca-certificates with sudo update-ca-certificates. (However, this solution may be unsatisfactory from a security perspective…)



            3. Remove USER $TOMCAT_USER from your Dockerfile; keep CMD ["/start.sh"], or ENTRYPOINT ["/start.sh"] if you prefer; and rely on the gosu tool, whose main use case precisely consists in downgrading from root to a non-privileged user, while enjoying better behavior than sudo w.r.t. TTY and signal forwarding.



              You'll just need to install gosu by doing for example:



              RUN apt-get update -y -q && 
              
  DEBIAN_FRONTEND=noninteractive 
              
  apt-get install -y -q --no-install-recommends gosu


              (as tomcat:8.5-jre8 is based on Debian) and use it by writing:




              start.sh




              #!/usr/bin/env bash
              
update-ca-certificates 
              
# other startup related tasks
              
gosu $TOMCAT_UID:$TOMCAT_GID catalina.sh run







            share|improve this answer



























              up vote
              2
              down vote













              As update-ca-certificates needs root permissions to update the certificates in /etc/ssl/certs, I only see three possible approaches (and one working solution − the third one below):




              1. Remove update-ca-certificates from your entrypoint and add a RUN update-ca-certificates command before the line USER $TOMCAT_USER. (However, you are using a volume which won't be available at build time, so this couldn't work…)


              2. Give sudo permissions (with no password) to your $TOMCAT_USER, and replace update-ca-certificates with sudo update-ca-certificates. (However, this solution may be unsatisfactory from a security perspective…)



              3. Remove USER $TOMCAT_USER from your Dockerfile; keep CMD ["/start.sh"], or ENTRYPOINT ["/start.sh"] if you prefer; and rely on the gosu tool, whose main use case precisely consists in downgrading from root to a non-privileged user, while enjoying better behavior than sudo w.r.t. TTY and signal forwarding.



                You'll just need to install gosu by doing for example:



                RUN apt-get update -y -q && 
                
  DEBIAN_FRONTEND=noninteractive 
                
  apt-get install -y -q --no-install-recommends gosu


                (as tomcat:8.5-jre8 is based on Debian) and use it by writing:




                start.sh




                #!/usr/bin/env bash
                
update-ca-certificates 
                
# other startup related tasks
                
gosu $TOMCAT_UID:$TOMCAT_GID catalina.sh run







              share|improve this answer

























                up vote
                2
                down vote










                up vote
                2
                down vote









                As update-ca-certificates needs root permissions to update the certificates in /etc/ssl/certs, I only see three possible approaches (and one working solution − the third one below):




                1. Remove update-ca-certificates from your entrypoint and add a RUN update-ca-certificates command before the line USER $TOMCAT_USER. (However, you are using a volume which won't be available at build time, so this couldn't work…)


                2. Give sudo permissions (with no password) to your $TOMCAT_USER, and replace update-ca-certificates with sudo update-ca-certificates. (However, this solution may be unsatisfactory from a security perspective…)



                3. Remove USER $TOMCAT_USER from your Dockerfile; keep CMD ["/start.sh"], or ENTRYPOINT ["/start.sh"] if you prefer; and rely on the gosu tool, whose main use case precisely consists in downgrading from root to a non-privileged user, while enjoying better behavior than sudo w.r.t. TTY and signal forwarding.



                  You'll just need to install gosu by doing for example:



                  RUN apt-get update -y -q && 
                  
  DEBIAN_FRONTEND=noninteractive 
                  
  apt-get install -y -q --no-install-recommends gosu


                  (as tomcat:8.5-jre8 is based on Debian) and use it by writing:




                  start.sh




                  #!/usr/bin/env bash
                  
update-ca-certificates 
                  
# other startup related tasks
                  
gosu $TOMCAT_UID:$TOMCAT_GID catalina.sh run







                share|improve this answer














                As update-ca-certificates needs root permissions to update the certificates in /etc/ssl/certs, I only see three possible approaches (and one working solution − the third one below):




                1. Remove update-ca-certificates from your entrypoint and add a RUN update-ca-certificates command before the line USER $TOMCAT_USER. (However, you are using a volume which won't be available at build time, so this couldn't work…)


                2. Give sudo permissions (with no password) to your $TOMCAT_USER, and replace update-ca-certificates with sudo update-ca-certificates. (However, this solution may be unsatisfactory from a security perspective…)



                3. Remove USER $TOMCAT_USER from your Dockerfile; keep CMD ["/start.sh"], or ENTRYPOINT ["/start.sh"] if you prefer; and rely on the gosu tool, whose main use case precisely consists in downgrading from root to a non-privileged user, while enjoying better behavior than sudo w.r.t. TTY and signal forwarding.



                  You'll just need to install gosu by doing for example:



                  RUN apt-get update -y -q && 
                  
  DEBIAN_FRONTEND=noninteractive 
                  
  apt-get install -y -q --no-install-recommends gosu


                  (as tomcat:8.5-jre8 is based on Debian) and use it by writing:




                  start.sh




                  #!/usr/bin/env bash
                  
update-ca-certificates 
                  
# other startup related tasks
                  
gosu $TOMCAT_UID:$TOMCAT_GID catalina.sh run








                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 21 at 22:30

























                answered Nov 21 at 22:24









                ErikMD

                1,9051318




                1,9051318






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413071%2fadding-ca-certificates-to-a-tomcat-docker-container-run-with-a-designated-user%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    What visual should I use to simply compare current year value vs last year in Power BI desktop

                    Image
                    0 I have column SubToBind that shows current year ratio and column PY SubToBind which shows previous year ratio. How can I simply create a card that would be displaying them both in a nice way? Something like that: I cannot achieve that with regular card, I also tried Card with States by OKViz but also unable to see both values. In KPI visual - I dont like the word "Goal", it will confuse end users. Are there any cards or other visuals that would do the job? Thanks powerbi dax powerbi-embedded share | improve this question edited Jun 11 '18 at 20:11 Oleg
                    Read more

                    Alexandru Averescu

                    Image
                    Alexandre Averescu Alexandru Averescu Naissance 3 avril 1859 Babele, Ismail  (ro) près de Izmaïl (principauté de Moldavie) Décès 2 octobre 1938 (à 79 ans) [ 1 ] Bucarest Origine   Roumanie Arme cavalerie Grade Maréchal Années de service 1901-1917 Commandement chef d'état-major général 2 e  armée 3 e  armée Groupe d'armée sud armée du Danube Conflits Guerre russo-turque de 1877-1878 Deuxième guerre balkanique Première Guerre mondiale Faits d'armes Bataille de Turtucaia/Tutrakan Bataille de Mărăști Distinctions Autres fonctions 3 fois président du Conseil des ministres ministre des Affaires étrangères ministre sans portefeuille conseiller de la Couronne modifier   Alexandre Averescu (en roumain : Alexandru Averescu .mw-parser-output .prononciation>a{background:url("//upload.wikimedia.org/wikipedia/commons/thumb/8/8a/Loudspeaker.svg/11px-Loudspeaker.svg.png")center
                    Read more

                    Trompette piccolo

                    Image
                    Ne doit pas être confondu avec trompette de poche. Trompette piccolo en si bémol, avec des branches d'embouchure différentes pour le si bémol (la plus courte) ou la (la plus longue) Trompette piccolo La trompette piccolo est la plus petite de la famille des trompettes. Elle joue une octave plus haut que la trompette standard en si bémol. La plupart des trompettes piccolo sont conçues pour jouer dans les deux tonalités de si bémol ou la, en utilisant une branche d'embouchure différente pour chaque tonalité. Le tube de la trompette piccolo en si bémol a une longueur moitié de celle de la trompette normale en si bémol. Des trompettes piccolo en sol, fa, ut sont également fabriquées, mais elles sont rares. La trompette soprano en ré, aussi connu comme la « trompette Bach », a été inventée vers 1890 par le facteur belge Victor-Charles Mahillon pour jouer les parties hautes de la trompette dans la musique de Bach et Haendel. La trompette piccolo moderne permet aux
                    Read more