Dockerfile – How to Handle SSL Certificates

dockerJenkinsssl

I am writing a Docker image based off of maven:3.6.0-jdk-11-slim to integrate with our Jenkins Pipeline. I am working in a corporate environment that's behind a pretty tight firewall, and I need to add certificates in order to download the necessary dependencies from our Nexus server.

However, because Docker only allows for relative paths when copying files into the image, I would need to provide the ca.crt in the same directory as the Dockerfile and thus commit everything to SCM which I am not thrilled about.

Am I being too cautious in not wanting to commit our ca-cert? Or is there a workaround that would allow me to use the certificate that already exists on the build server?

Dockerfile for reference:

#
# Build Stage
#
FROM maven:3.6.0-jdk-11-slim
COPY ca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates

COPY pom.xml /tmp/pom.xml
COPY settings.xml /usr/share/maven/ref/settings.xml

RUN mvn -f /tmp/pom.xml -X -s /usr/share/maven/ref/settings.xml clean package

DISCLAIMER I'm not sure if this is the correct forum to pose this question, so I will happily move it if not.

Best Answer

If the ca.crt is the public key certificate it is by definition public and it does not contain any information that allows one to impersonate the server that has the corresponding private key certificate. So it is safe to add the file to the repo, but... there is a better solution:

Get dynamically the public key certificate from the server. With the following command you can get the public key of the "self signed certificate" of the CA that signed the certificate:

echo quit | openssl s_client -showcerts -servername example.com -connect example.com:443 2>/dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){c=""};c=c $0 "\n"}END{print c}' >ca.crt || true

File ca.crt contains the public key certificate.

This way whenever you build the docker image the certificate of the CA is "refreshed".

Related Topic