docker-entrypoint.sh

#!/bin/sh
set -e

# Import CA certificates from /certs/ca.pem into JVM truststore if present.
# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,
# or an internal PKI in production) for OIDC discovery and token exchange.
if [ -f /certs/ca.pem ]; then
    TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"
    STOREPASS="changeit"
    TMPDIR=$(mktemp -d)

    # Split PEM bundle into individual certificates
    awk -v dir="$TMPDIR" '
        /-----BEGIN CERTIFICATE-----/ { n++ }
        n > 0 { print > dir "/cert-" n ".pem" }
    ' /certs/ca.pem

    count=0
    for cert in "$TMPDIR"/cert-*.pem; do
        [ -f "$cert" ] || continue
        if keytool -importcert -noprompt -trustcacerts \
            -alias "custom-ca-$count" \
            -file "$cert" \
            -keystore "$TRUSTSTORE" \
            -storepass "$STOREPASS" 2>/dev/null; then
            count=$((count + 1))
        fi
    done

    rm -rf "$TMPDIR"
    [ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"
fi

exec java -Duser.timezone=UTC -jar /app/server.jar
fix: import /certs/ca.pem into JVM truststore at startup The server container mounts the platform's certs volume at /certs but the CA bundle was never imported into the JVM truststore. OIDC discovery failed with PKIX path building errors when a self-signed or custom CA was in use. The new entrypoint script splits the PEM bundle and imports each cert via keytool before starting the app. This makes the conditional CAMELEER_OIDC_TLS_SKIP_VERIFY logic in the SaaS provisioner work correctly: when ca.pem exists, the JVM now actually trusts it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-11 11:31:26 +02:00			`#!/bin/sh`
			`set -e`

			`# Import CA certificates from /certs/ca.pem into JVM truststore if present.`
			`# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,`
			`# or an internal PKI in production) for OIDC discovery and token exchange.`
			`if [ -f /certs/ca.pem ]; then`
			`TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"`
			`STOREPASS="changeit"`
			`TMPDIR=$(mktemp -d)`

			`# Split PEM bundle into individual certificates`
			`awk -v dir="$TMPDIR" '`
			`/-----BEGIN CERTIFICATE-----/ { n++ }`
			`n > 0 { print > dir "/cert-" n ".pem" }`
			`' /certs/ca.pem`

			`count=0`
			`for cert in "$TMPDIR"/cert-*.pem; do`
			`[ -f "$cert" ] \|\| continue`
			`if keytool -importcert -noprompt -trustcacerts \`
			`-alias "custom-ca-$count" \`
			`-file "$cert" \`
			`-keystore "$TRUSTSTORE" \`
			`-storepass "$STOREPASS" 2>/dev/null; then`
			`count=$((count + 1))`
			`fi`
			`done`

			`rm -rf "$TMPDIR"`
			`[ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"`
			`fi`

			`exec java -Duser.timezone=UTC -jar /app/server.jar`