Hi,
Spring Boot 2.3.1 maven plugin build-image will not work behind a http proxy with custom certificate. The certificate is installed under linux (ubuntu 20.04) how to do it including the settings for Java (open jdk 11.0.7).
When building an image with
mvn spring-boot:build-image
INFO] [creator] Paketo BellSoft Liberica Buildpack 2.8.0
[INFO] [creator] https://github.com/paketo-buildpacks/bellsoft-liberica
[INFO] [creator] Build Configuration:
[INFO] [creator] $BP_JVM_VERSION 11.0.7 the Java version
[INFO] [creator] Launch Configuration:
[INFO] [creator] $BPL_JVM_HEAD_ROOM 0 the headroom in memory calculation
[INFO] [creator] $BPL_JVM_LOADED_CLASS_COUNT 35% of classes the number of loaded classes in memory calculation
[INFO] [creator] $BPL_JVM_THREAD_COUNT 250 the number of threads in memory calculation
[INFO] [creator] BellSoft Liberica JRE 11.0.7: Contributing to layer
[INFO] [creator] Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.7+10/bellsoft-jre11.0.7+10-linux-amd64.tar.gz
[INFO] [creator] unable to invoke layer creator
[INFO] [creator] unable to get dependency jre
[INFO] [creator] unable to download https://github.com/bell-sw/Liberica/releases/download/11.0.7+10/bellsoft-jre11.0.7+10-linux-amd64.tar.gz
[INFO] [creator] unable to request https://github.com/bell-sw/Liberica/releases/download/11.0.7+10/bellsoft-jre11.0.7+10-linux-amd64.tar.gz
[INFO] [creator] Get "https://github.com/bell-sw/Liberica/releases/download/11.0.7+10/bellsoft-jre11.0.7+10-linux-amd64.tar.gz": x509: certificate signed by unknown authority
Other tools like curl or docker show me that the installation of the custom certifactes is correct.
I know my setup is crazy, but unfortunately I can't change that.
Thanks!
Comment From: wilkinsona
The image is built by a builder that runs in a separate Docker container. Your custom certificate will have to be installed in that container. I’m not sure if the builder provides a hookpoint to provide a custom certificate to use during the build process. You may need to create your own builder image. The Paketo Slack is the best place to discuss this and to find out what’s possible.
Comment From: torsten-liermann
Thank you! The topic is discussed here. https://github.com/buildpacks/rfcs/pull/69
Comment From: qrider71
I probably ran into the same problem, is there a solution meanwhile?
[INFO] [creator] BellSoft Liberica JRE 11.0.10: Contributing to layer
[INFO] [creator] Downloading from https://github.com/bell-sw/Liberica/releases/download/11.0.10+9/bellsoft-jre11.0.10+9-linux-amd64.tar.gz
[INFO] [creator] unable to invoke layer creator
[INFO] [creator] unable to get dependency jre
[INFO] [creator] unable to download https://github.com/bell-sw/Liberica/releases/download/11.0.10+9/bellsoft-jre11.0.10+9-linux-amd64.tar.gz
[INFO] [creator] unable to request https://github.com/bell-sw/Liberica/releases/download/11.0.10+9/bellsoft-jre11.0.10+9-linux-amd64.tar.gz
[INFO] [creator] Get "https://github-releases.githubusercontent.com/115621629/d5d82c00-594d-11eb-98ae-659ac7559e26?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210202%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210202T170457Z&X-Amz-Expires=300&X-Amz-Signature=137db21268360387a4b524dbfb60b344efab343d47d92e7be2341cea7f890c73&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=115621629&response-content-disposition=attachment%3B%20filename%3Dbellsoft-jre11.0.10%2B9-linux-amd64.tar.gz&response-content-type=application%2Foctet-stream": x509: certificate signed by unknown authority
[INFO] [creator] ERROR: failed to build: exit status 1
Comment From: wilkinsona
@qrider71 There are some instructions from @nebhale in this issue comment that show how to modify the builder and add your custom certificates to it. I'm not sure what the current state of the art is beyond this. I've asked @sclevine for some links to the RFCs that have superseded buildpacks/rfcs#69.
Comment From: wilkinsona
https://github.com/paketo-buildpacks/ca-certificates is relevant here. It requires the use of bindings which we're hoping to support in 2.5.
Comment From: scottfrederick
@torsten-liermann @qrider71 Just to close the loop on this discussion, the latest Spring Boot 2.5.0-SNAPSHOT builds include the bindings feature that will allow you to add custom certificates to the builder container with the Maven and Gradle plugins. This feature will be included in the next 2.5.0-M3 milestone release.
The integration tests show an example of configuring a binding with a certificate for use by the paketo-buildpacks/ca-certificate buildpack (although it is an invalid certificate in the test because that's sufficient to test that the Boot plugins are setting up the build container properly).
Comment From: je890
@torsten-liermann @qrider71 Just to close the loop on this discussion, the latest Spring Boot
2.5.0-SNAPSHOTbuilds include thebindingsfeature that will allow you to add custom certificates to the builder container with the Maven and Gradle plugins. This feature will be included in the next2.5.0-M3milestone release.The integration tests show an example of configuring a binding with a certificate for use by the
paketo-buildpacks/ca-certificatebuildpack (although it is an invalid certificate in the test because that's sufficient to test that the Boot plugins are setting up the build container properly).
Hi! I was trying the bindings setup. Are we only allowed to use this builder, springci/spring-boot-cnb-builder:0.0.1 because I tried the default base one and it failed. Also I tried this builder springci/spring-boot-cnb-builder:0.0.1 and I got this error when doing 'docker run': ERROR: failed to launch: determine start command: when there is no default process a command is required Thank you!
Comment From: scottfrederick
I tried this builder springci/spring-boot-cnb-builder:0.0.1 and I got this error when doing 'docker run':
The builder springci/spring-boot-cnb-builder:0.0.1 is not a valid CNB builder for use when building images. It is a test harness used by internal Spring Boot tests to verify behavior of the Maven and Gradle plugins. As you've seen, that builder does not produce a runnable image.
The relevant part of the integration test example linked above is just the <bindings>...</bindings> configuration.
I tried the default base one and it failed
You'll need to provide more information on what failed in order for anyone to provide assistance. This is a closed issue, so it is not the right place to get help with a question. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements, so further questions would be better suited for Stack Overflow.
Comment From: xmlking
for those why are building from behind corp proxy and fracking x509: certificate signed by unknown authority error, here is the tip:
Don't forget to add bindings/ca-certificates/type with content ca-certificates
https://github.com/xmlking/micro-apps/commit/fa246da6b627038c461620bcb8e0a17821c9274d
Comment From: matthunt1984
@torsten-liermann @qrider71 Just to close the loop on this discussion, the latest Spring Boot
2.5.0-SNAPSHOTbuilds include thebindingsfeature that will allow you to add custom certificates to the builder container with the Maven and Gradle plugins. This feature will be included in the next2.5.0-M3milestone release. The integration tests show an example of configuring a binding with a certificate for use by thepaketo-buildpacks/ca-certificatebuildpack (although it is an invalid certificate in the test because that's sufficient to test that the Boot plugins are setting up the build container properly).Hi! I was trying the bindings setup. Are we only allowed to use this builder, springci/spring-boot-cnb-builder:0.0.1 because I tried the default base one and it failed. Also I tried this builder springci/spring-boot-cnb-builder:0.0.1 and I got this error when doing 'docker run': ERROR: failed to launch: determine start command: when there is no default process a command is required Thank you!
Update link for related spring boot maven docs - as one quoted is now broken.
I was new to this so maybe took me longer to understand what is going on. The bindings is simply passed from maven through spring boot plugin to create a docker mount from the host machine, which allows you to pass in a folder contain the CA.pem and required the file 'type' for it to be recognised by this specific buildpack.
After a bit of trial and error this now seems to work fine. Thanks!
Comment From: emrekaratas06
same problem;
[INFO] [creator] Paketo Buildpack for CA Certificates 3.5.1
[INFO] [creator] https://github.com/paketo-buildpacks/ca-certificates
[INFO] [creator] Launch Helper: Contributing to layer
[INFO] [creator] Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper
[INFO] [creator]
[INFO] [creator] Paketo Buildpack for BellSoft Liberica 9.10.1
[INFO] [creator] https://github.com/paketo-buildpacks/bellsoft-liberica
[INFO] [creator] Build Configuration:
[INFO] [creator] $BP_JVM_JLINK_ARGS --no-man-pages --no-header-files --strip-debug --compress=1 configure custom link arguments (--output must be omitted)
[INFO] [creator] $BP_JVM_JLINK_ENABLED false enables running jlink tool to generate custom JRE
[INFO] [creator] $BP_JVM_TYPE JRE the JVM type - JDK or JRE
[INFO] [creator] $BP_JVM_VERSION 17.* the Java version
[INFO] [creator] Launch Configuration:
[INFO] [creator] $BPL_DEBUG_ENABLED false enables Java remote debugging support
[INFO] [creator] $BPL_DEBUG_PORT 8000 configure the remote debugging port
[INFO] [creator] $BPL_DEBUG_SUSPEND false configure whether to suspend execution until a debugger has attached
[INFO] [creator] $BPL_HEAP_DUMP_PATH write heap dumps on error to this path
[INFO] [creator] $BPL_JAVA_NMT_ENABLED true enables Java Native Memory Tracking (NMT)
[INFO] [creator] $BPL_JAVA_NMT_LEVEL summary configure level of NMT, summary or detail
[INFO] [creator] $BPL_JFR_ARGS configure custom Java Flight Recording (JFR) arguments
[INFO] [creator] $BPL_JFR_ENABLED false enables Java Flight Recording (JFR)
[INFO] [creator] $BPL_JMX_ENABLED false enables Java Management Extensions (JMX)
[INFO] [creator] $BPL_JMX_PORT 5000 configure the JMX port
[INFO] [creator] $BPL_JVM_HEAD_ROOM 0 the headroom in memory calculation
[INFO] [creator] $BPL_JVM_LOADED_CLASS_COUNT 35% of classes the number of loaded classes in memory calculation
[INFO] [creator] $BPL_JVM_THREAD_COUNT 250 the number of threads in memory calculation
[INFO] [creator] $JAVA_TOOL_OPTIONS the JVM launch flags
[INFO] [creator] Using Java version 17.* from BP_JVM_VERSION
[INFO] [creator] BellSoft Liberica JRE 17.0.5: Contributing to layer
[INFO] [creator] Downloading from https://github.com/bell-sw/Liberica/releases/download/17.0.5+8/bellsoft-jre17.0.5+8-linux-amd64.tar.gz
[INFO] [creator] unable to invoke layer creator
[INFO] [creator] unable to get dependency jre
[INFO] [creator] unable to download https://github.com/bell-sw/Liberica/releases/download/17.0.5+8/bellsoft-jre17.0.5+8-linux-amd64.tar.gz
[INFO] [creator] unable to request https://github.com/bell-sw/Liberica/releases/download/17.0.5+8/bellsoft-jre17.0.5+8-linux-amd64.tar.gz
[INFO] [creator] Get "https://objects.githubusercontent.com/github-production-release-asset-2e65be/115621629/4522d780-0a4c-40ae-a3d1-d70a38bda0b9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20221222%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221222T115500Z&X-Amz-Expires=300&X-Amz-Signature=6ad4f75702593c28acb29adb73b002c3825ccae17701ced35dd5bdb2245594d0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=115621629&response-content-disposition=attachment%3B%20filename%3Dbellsoft-jre17.0.5%2B8-linux-amd64.tar.gz&response-content-type=application%2Foctet-stream": x509: certificate signed by unknown authority
[INFO] [creator] ERROR: failed to build: exit status 1
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 25.067 s
[INFO] Finished at: 2022-12-22T14:54:13+03:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.springframework.boot:spring-boot-maven-plugin:2.7.4:build-image (default-cli) on project configserver: Execution default-cli of goal org.springframework.boot:spring-boot-maven-plugin:2.7.4:build-image failed: Builder lifecycle 'creator' failed with status code 51 -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException
Comment From: emrekaratas06
can you help me please. i try it to fix problem repeatedly but i dont.
Comment From: philwebb
@emrekaratas06 I see you've also added comments to https://github.com/paketo-buildpacks/bellsoft-liberica/issues/3#issuecomment-1362895757. Let's keep the discussion there.
Comment From: charlesxucheng
Hi there. Is it possible to show some examples on how to specify additional CA certificates bindings in the Gradle plugin?
I have tried the following:
bootBuildImage {
bindings = [ "${project.projectDir}/bindings/ca-certificates:/platform/bindings/ca-certificates" ]
}
bootBuildImage {
bindings = ['./bindings/ca-certificates:/platform/bindings/ca-certificates']
}
The error I get is:
2023-01-09T16:28:11.799+0800 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter]
Execution failed for task ':ProjectA:bootBuildImage'.
> Docker API call to 'localhost/v1.24/containers/create' failed with status code 500 "Internal Server Error"
Comment From: scottfrederick
@charlesxucheng It's not obvious how the bindings configuration is related to the Internal Server Error problem that is happening inside the Docker daemon. We prefer to use Stack Overflow for questions like this. Please post more information about what you are doing in a question there (including all of the Spring Boot plugin configuration, the OS you are running, and the Docker Engine version). You can tag the question with spring-boot and paketo (since the certificates are managed by the Paketo ca-certificates buildpack).