bellsoft-liberica Java 21 with custom ca-certificates

[rasifix]

I was trying to switch our setup to Java 21. We have custom ca-certificates bindings, which successfully copies some custom certificates to the truststore(s) with Java 17 ("added n certificates ..."). After switching to Java 21 (BP_JVM_VERSION) we no longer get those certificates.

The ca-certificates build pack is properly triggered.

fail: paketo-buildpacks/[email protected] provides unused ca-certificates

Paketo Buildpack for CA Certificates 3.6.8 https://github.com/paketo-buildpacks/ca-certificates Launch Helper: Contributing to layer Creating /layers/paketo-buildpacks_ca-certificates/helper/exec.d/ca-certificates-helper

It looks as though Java 21 does no longer use these ca-certificates. Can you please tell me what I have to do differently with Java 21?!

[dmikusa]

If you are on recent versions of our JVM vendor buildpacks, then it should automatically pick up the certificates regardless of the version of Java. In older versions of the buildpack, it was not supported because Java changed the keystore format and it took a little time to get things working with the new format. I don't remember off-hand exactly when this was fixed, but anything in the last couple of months should be OK.

If you are running the latest, please include full build output so we can see what happens at build time. Also, please provide some more details on what you're doing and why you feel like it's not using the certificates. All of this just helps us to more fully understand what's happening in your environment. Thanks

[rasifix]

I have been trying to reproduce the issue. The good news, it is working now with Java 17 and 21. Certificates are added. The above message ("unused ca-certificates") is gone. However, I have no clue what fixed it. I'll try to find that out.

[dmikusa]

Ah, ok. So fail: paketo-buildpacks/[email protected] provides unused ca-certificates is a detection problem. It means that something decided to provide ca-certificates buildplan entry, but there were no buildpacks that required that entry. All of the provides and requires declarations need to match up, or that buildplan will fail.

If you had pack build -v enabled, you'll see some output from detection time. It may indicate failures, but that's normal because there are multiple buildplans that get produced, and ultimately only one is selected to be used. So it's important to look at the plan selected and see if that has the desired buildplans. Also, for ca-certificates, look at the ca-certificates buildpack build output and make sure it says it's adding system certificates, then look at your JVM vendor buildpack and make sure it says it's adding system certificates to the JVM keystore. You should see a differences in the number of certs when you add your custom certs, so you can be sure it's adding them.

Hope that helps!

[rasifix]

the build debug output (we have to use /cnb/lifecycle/creator directly, but that should not matter I guess) is extremely confusing. The build plans differ, but I cannot tell why. As I have a working solution now, I will not further investigate.