When using the Containerized Private Minion, you may find yourself deploying it in a network context where a private certificate authority is in use. The presence of this certificate in the certificate chain for requests to our API endpoint Horde (synthetics-horde.nr-data.net / synthetics-horde.eu01.nr-data.net) will break the chain of trust and cause the request to fail.
Since the minion is a Java application, this private CA will need to be added to the JVM trust store. This can be done by wrapping the minion docker image in a new docker image that performs this import.
- In a new directory, create a file called
Dockerfile - In the same directory create a sub directory, lets say
/certsthat contains the cert you want to install - Edit Dockerfile with the following contents:
FROM quay.io/newrelic/synthetics-minion:latest
COPY certs /etc/certs
RUN keytool -noprompt -import -alias proxy -file /etc/certs/charles-ssl-proxying-certificate.pem -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit
- Build the docker image from the directory that Dockerfile is in. Lets name it
minion-with-cert
$ docker build --tag minion-with-cert .
Now launch the minion as you would but with the new wrapper image (minion-with-cert). This should install the cert to the JVM trust store before the Minion Application launches:
sudo docker run -e MINION_PRIVATE_LOCATION_KEY=your-private-location-key -e "MINION_LOG_LEVEL=DEBUG" -v /tmp:/tmp:rw -v /var/run/docker.sock:/var/run/docker.sock:rw minion-with-cert