cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: import /certs/ca.pem into JVM truststore at startup
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m13s
Details
CI / docker (push) Successful in 1m3s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 37s
Details

Browse Source 
The server container mounts the platform's certs volume at /certs but
the CA bundle was never imported into the JVM truststore. OIDC discovery
failed with PKIX path building errors when a self-signed or custom CA
was in use.

The new entrypoint script splits the PEM bundle and imports each cert
via keytool before starting the app. This makes the conditional
CAMELEER_OIDC_TLS_SKIP_VERIFY logic in the SaaS provisioner work
correctly: when ca.pem exists, the JVM now actually trusts it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-11 11:31:26 +02:00
parent e9486bd05a
commit 1539c7a67b
2 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@@ -17,7 +17,9 @@ RUN mvn clean package -DskipTests -U -B
FROM eclipse-temurin:17-jre FROM eclipse-temurin:17-jre
WORKDIR /app WORKDIR /app
COPY --from=build /build/cameleer3-server-app/target/cameleer3-server-app-*.jar /app/server.jar COPY --from=build /build/cameleer3-server-app/target/cameleer3-server-app-*.jar /app/server.jar
COPY docker-entrypoint.sh /app/
RUN chmod +x /app/docker-entrypoint.sh
EXPOSE 8081 EXPOSE 8081
ENV TZ=UTC ENV TZ=UTC
ENTRYPOINT exec java -Duser.timezone=UTC -jar /app/server.jar ENTRYPOINT ["/app/docker-entrypoint.sh"]

34
docker-entrypoint.sh Normal file
View File

@@ -0,0 +1,34 @@
#!/bin/sh
set -e
# Import CA certificates from /certs/ca.pem into JVM truststore if present.
# This allows the server to trust custom CAs (e.g., Traefik self-signed in dev,
# or an internal PKI in production) for OIDC discovery and token exchange.
if [ -f /certs/ca.pem ]; then
TRUSTSTORE="$JAVA_HOME/lib/security/cacerts"
STOREPASS="changeit"
TMPDIR=$(mktemp -d)
# Split PEM bundle into individual certificates
awk -v dir="$TMPDIR" '
/-----BEGIN CERTIFICATE-----/ { n++ }
n > 0 { print > dir "/cert-" n ".pem" }
' /certs/ca.pem
count=0
for cert in "$TMPDIR"/cert-*.pem; do
[ -f "$cert" ] || continue
if keytool -importcert -noprompt -trustcacerts \
-alias "custom-ca-$count" \
-file "$cert" \
-keystore "$TRUSTSTORE" \
-storepass "$STOREPASS" 2>/dev/null; then
count=$((count + 1))
fi
done
rm -rf "$TMPDIR"
[ "$count" -gt 0 ] && echo "Imported $count CA certificate(s) into JVM truststore"
fi
exec java -Duser.timezone=UTC -jar /app/server.jar