Provide a convenient way of adding a custom root certificate authority cert

[Rolf-MP]

What feature do you want to see added?

I would like to be able to e.g. volume map my root CA cert into a location in the Jenkins container and have the image import that/those cert(s) into the keystore being used by Jenkins at startup.

Upstream changes

No response

[dduportal]

Hi @Rolf-MP , you should be able to do so by mounting the certificate in the container, or by building your custom image instead: is there anything blocking you in this area?

[Rolf-MP]

Hello Damien - thanks for your reply!

I do not have the steps handy but do remember that the ca-cert needs to be available for Tomcat/Jetty somehow if we want Jenkins to trust certificates issued by our company certificate authority.
Java/Jenkins - at least back when we originally put Jenkins in place did not use the system cacerts. I ran into a similar issue when migrating from VM to docker-image Jenkins deployment.

The title therefore says "convenient".
If - for the docker image - there would be a documented/env-var-settable location to mount the cacert to such that it would be automatically picked up for use by Jenkins at start of the container that would be convenient.

Maybe I overlooked something - very well possible ..

[timja]

Might be possible by changing our entrypoint to call this:
https://github.com/adoptium/containers/blob/898a806f10921208544fea3f5fa0dcef261c4f53/21/jdk/alpine/entrypoint.sh#L25

[lidj22]

Unfortunatley the example does not appear to work.

In my personal instance I've tried using update-ca-certificates and doing keystore things. My understanding is that since Jenkins is a Java program I need to make Java recognize my certificate, not Ubuntu (which is why update-ca-certificates fails).

However, most examples (importing ca root cert to jvm, guide on java keytool) I've seen online discuss adding the certificate to a location which doesn't appear to exist in the container, the jre security cacerts directory.

FROM jenkins/jenkins
USER root
RUN apt-get update && apt-get install -y \
    lsb-release \
    ca-certificates \
    curl
RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \
    https://download.docker.com/linux/debian/gpg
RUN echo "deb [arch=$(dpkg --print-architecture) \
  signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \
  https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
RUN apt-get update && apt-get install -y docker-ce-cli

# TRY TO ADD CA.CRT
COPY ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
keytool -import -trustcacerts -file /usr/local/share/ca-certificates/ca.crt -alias MY_CA -keystore $JAVA_HOME/jre/lib/security/cacerts 
# WON'T WORK: /opt/java/openjdk/jre/lib/security/cacerts (No such file or directory)

# Switch back to the Jenkins user
USER jenkins

# Install Jenkins plugins
RUN jenkins-plugin-cli --plugins "blueocean docker-workflow"

[timja]

you don't need to pass -keystore $JAVA_HOME/jre/lib/security/cacerts, add -cacerts instead which will lookup the correct truststore location automatically

[lidj22]

Thanks for the help!

I was able to also find the actual certs at /opt/java/openjdk/lib/security/cacerts as well (and of course it happens right after I comment). But it turns out my self-signed cert issue was not with Jenkins but with the Jenkins/git plugin..

edit: spoke too soon

edit2: issue was my agents did not have the ca crts installed. Jenkins works fine