DEV Community

Eduardo Issao Ito
Eduardo Issao Ito

Posted on

1

Custom Root CA in spring-boot:build-image

The Spring Framework has a very useful feature which is the generation of a docker image through the spring-boot-maven-plugin. Simply running mvn spring-boot:build-image will create a docker compatible OCI image.

But if you are behind a corporate proxy, this error is likely to happen:

[INFO]     [creator]       BellSoft Liberica JRE 17.0.6: Contributing to layer

[INFO]     [creator]         Downloading from https://github.com/bell-sw/Liberica/releases/download/17.0.6+10/bellsoft-jre17.0.6+10-linux-amd64.tar.gz

[INFO]     [creator]     unable to invoke layer creator

[INFO]     [creator]     unable to get dependency jre

[INFO]     [creator]     unable to download https://github.com/bell-sw/Liberica/releases/download/17.0.6+10/bellsoft-jre17.0.6+10-linux-amd64.tar.gz

[INFO]     [creator]     unable to request https://github.com/bell-sw/Liberica/releases/download/17.0.6+10/bellsoft-jre17.0.6+10-linux-amd64.tar.gz

[INFO]     [creator]     Get https://github.com/bell-sw/Liberica/releases/download/17.0.6+10/bellsoft-jre17.0.6+10-linux-amd64.tar.gz: x509: certificate signed by unknown authority

[INFO]     [creator]     ERROR: failed to build: exit status 1
Enter fullscreen mode Exit fullscreen mode

This happens because the corporation's certificate used in the proxy server is not known by the build process. When the buildpack tries download needed artifacts used inside the build process, it stops because the certificate is not trusted.

spring-boot-maven-plugin uses Cloud Native Buildpacks under the hood, and it allows some customization of the build process.

We need to put our corporate root CA certificates into the buildpack. For this we will create the files mycert.cer and type in the structure below:

.
├── pom.xml
└── src
    └── main
        └── bindings
            └── ca-certificates
                ├── mycert.cer
                └── type
Enter fullscreen mode Exit fullscreen mode

src/main/bindings/ca-certificates/mycert.cer:

-----BEGIN CERTIFICATE-----
Base64–encoded certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Base64–encoded certificate
-----END CERTIFICATE-----
Enter fullscreen mode Exit fullscreen mode

src/main/bindings/ca-certificates/type:

ca-certificates
Enter fullscreen mode Exit fullscreen mode

The following Maven configuration will add the certificate to the buildpack.

pom.xml:

<plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
    <configuration>
        <image>
            <env>
                <SERVICE_BINDING_ROOT>/bindings</SERVICE_BINDING_ROOT>
            </env>
            <bindings>
                <binding>${project.basedir}/src/main/bindings/ca-certificates:/bindings/ca-certificates</binding>
            </bindings>
        </image>
    </configuration>
</plugin>
Enter fullscreen mode Exit fullscreen mode

Now, mvn spring-boot:build-image should work!

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (4)

Collapse
 
costonied profile image
Igor Savin

Hello Eduardo!
Thank you for your article. It's help me to setup my build process.

Collapse
 
adzubla profile image
Eduardo Issao Ito

Thanks! This is a simple solution, but the information has all been scattered around and assumes prior knowledge of buildpacks...

Collapse
 
vadiw profile image
vadiw

I added the section in pom.xml and used open ssl to create a pem cert . But I am not getting past the error. What could be wrong for me ? (disabling corp vpn resolves but i need to make it work with corp vpn)
I am using spring boot 3.1.1

[INFO] [creator] Get "github.com/bell-sw/Liberica/releas... tls: failed to verify certificate: x509: certificate signed by unknown authority

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <image>
                        <env>
                            <SERVICE_BINDING_ROOT>/bindings</SERVICE_BINDING_ROOT>
                        </env>
                        <bindings>
                            <binding>${basedir}/bindings/ca-certificates:/platform/bindings/ca-certificates</binding>
                        </bindings>
                    </image>
                </configuration>
            </plugin>
        </plugins>
    </build>
Enter fullscreen mode Exit fullscreen mode
Collapse
 
adzubla profile image
Eduardo Issao Ito

Probably you are using the wrong certificate.

The mycert.cer file should containg the public certficate used by your company to sign the incoming traffic from the internet.

The certificate is expected to be in x509 format.

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay