Relic Solution: Using custom SSL certificates for CPM communication with Horde

When using the Containerized Private Minion, you may find yourself deploying it in a network context where a private certificate authority is in use. The presence of this certificate in the certificate chain for requests to our API endpoint Horde ( / will break the chain of trust and cause the request to fail.

Since the minion is a Java application, this private CA will need to be added to the JVM trust store. This can be done by wrapping the minion docker image in a new docker image that performs this import.

  1. In a new directory, create a file called Dockerfile
  2. In the same directory create a sub directory, lets say /certs that contains the cert you want to install
  3. Edit Dockerfile with the following contents:
COPY certs /etc/certs
RUN keytool -noprompt -import -alias proxy -file /etc/certs/charles-ssl-proxying-certificate.pem -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit
  1. Build the docker image from the directory that Dockerfile is in. Lets name it minion-with-cert
$ docker build --tag minion-with-cert .

Now launch the minion as you would but with the new wrapper image (minion-with-cert). This should install the cert to the JVM trust store before the Minion Application launches:

sudo docker run -e MINION_PRIVATE_LOCATION_KEY=your-private-location-key -e "MINION_LOG_LEVEL=DEBUG" -v /tmp:/tmp:rw -v /var/run/docker.sock:/var/run/docker.sock:rw minion-with-cert

I tried implementing this solution using a custom cert using the latest image ( 3.0.31) and it continuously fails. From my digging the JAVA_HOME path changed to /opt/java/openjdk. But even with that the /jre/lib/security/cacerts directory path no longer seems to even exist.

Hi @jean_89! Thanks for bringing this to our attention. It looks like the path should be /opt/java/openjdk/lib/security/cacerts now, I’ve updated the post to reflect this.

Please let me know if you run into any other issues with this!