On Fri, Jul 18, 2025 at 10:36 AM Adam Sage <[email protected]> wrote:
> Hello, > > > > First of all, I wouldn’t consider myself a Docker expert so it’s very > possible I’m doing something wrong. That said, I’m trying to set up a > docker container that will use system CA certs to enable LDAPS auth. Since > I wasn’t able to find much info on this, I created my own hacky way to do > it by creating a shared volume for /opt/java/openjdk/lib/security and then > creating a service that injects my PKI root certs. It works, but I can’t > say I’m completely happy with it. After doing this, I noticed a file is > created on the root of the drive called __cacert_entrypoint.sh. This file > says there should be an env variable called USE_SYSTEM_CA_CERTS, which when > set to true should inject any .crt cert mounted in /certificates. After > finding this script, I found this post > https://lists.apache.org/thread/4g8o2kb01srxv43nsk0f31csq556x4hq but he > has very similar questions to mine . In the latest tag, as of right now, ( > https://hub.docker.com/layers/guacamole/guacamole/latest/images/sha256-5cc63aea0b427fb5fa12ff79f8c1cfbbbbfeee6a823131fa3aeafa49d8ba4188) > it appears the script is called on line 15, the thing is it doesn’t seem to > do anything. In the docker logs I don’t see anything logged from the > script. I can’t seem to find anything about what this > __cacert_entrypoint.sh script is, or even the environment variable > USE_SYSTEM_CA_CERTS in any of the docs. If I attach to the container and > run the script manually, it appears to complete successfully, but the cert > is not actually inserted for Guacamole/JVM to use. In the logs I still see > the error “javax.net.ssl.SSLHandshakeException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target”. My best guess is that > because I’m not running the container as root it’s not doing completing > correctly, even though the comments at the end of the script suggest that > running as a non-root user should not matter (except for anything other > than JVM, which I don’t care about at the moment). Notice in my hacky > solution that I’m adding the certs with the root user. Here is the output > from the script: > > > Looking at the current Guacamole source code, I do not see any reference to USE_SYSTEM_CA_CERTS or the cacert_entrypoint.sh script. After a quick Google search, I believe this variable and script are actually used by the eclipse-temurin-jdk21 container that we use for the _build_ process, which is somewhat disconnected from the tomcat container that is used to run the components after the build. Essentially, the additional certificates you're providing are being happily consumed by the container used to build the various Guacamole components - but then promptly discarded when the build is complete and the built artifacts are extracted in order to create the container that will be used to _run_ the Guacamole code. -Nick >
