Relic Solution: Using custom SSL certificates for CPM communication with Horde

When using the Containerized Private Minion, you may find yourself deploying it in a network context where a private certificate authority is in use. The presence of this certificate in the certificate chain for requests to our API endpoint Horde ( / will break the chain of trust and cause the request to fail.

Since the minion is a Java application, this private CA will need to be added to the JVM trust store. This can be done by wrapping the minion docker image in a new docker image that performs this import.

  1. In a new directory, create a file called Dockerfile
  2. In the same directory create a sub directory, lets say /certs that contains the cert you want to install
  3. Edit Dockerfile with the following contents:
COPY certs /etc/certs
RUN keytool -noprompt -import -alias proxy -file /etc/certs/charles-ssl-proxying-certificate.pem -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit
  1. Build the docker image from the directory that Dockerfile is in. Lets name it minion-with-cert
$ docker build --tag minion-with-cert .

Now launch the minion as you would but with the new wrapper image (minion-with-cert). This should install the cert to the JVM trust store before the Minion Application launches:

sudo docker run -e MINION_PRIVATE_LOCATION_KEY=your-private-location-key -e "MINION_LOG_LEVEL=DEBUG" -v /tmp:/tmp:rw -v /var/run/docker.sock:/var/run/docker.sock:rw minion-with-cert

I tried implementing this solution using a custom cert using the latest image ( 3.0.31) and it continuously fails. From my digging the JAVA_HOME path changed to /opt/java/openjdk. But even with that the /jre/lib/security/cacerts directory path no longer seems to even exist.

Hi @jean_89! Thanks for bringing this to our attention. It looks like the path should be /opt/java/openjdk/lib/security/cacerts now, I’ve updated the post to reflect this.

Please let me know if you run into any other issues with this!


How to get the SSL cert?

Visit the Horde API endpoint link for your region in a browser and export the certificate. Instructions are here if needed.

I exported the root cert (.cer) in Chrome, added it to the certs directory, then ran the docker command and it’s now working as expected.

Are there plans on building this into the minion container and if so when could we expect to see them?