问题
I'm trying to build and deploy my docker image to a private registry using Google JIB maven plugin. However, it fails with issues accessing the private registry.
I have installed Docker Desktop v19.03.1 on my Windows 10 machine. Next I'm trying to using Google JIB Maven plugin to build my Spring Boot application and then push the image built on the private registry.
I have added the CERT to 'example.registry.com' to the Windows trusted CERTS. I was able to verify this using the docker command to login to private registry as below :-
docker login example.registry.com
This command returns success for authentication which means the CERT I added was accepted.
And Following the logon to the private registry, I'm able to PULL and PUSH images using docker command line to 'example.registry.com' successfully .
Below is my POM.xml file.
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>1.5.1</version>
<configuration>
<to>
<image>example.registry.com/inventory-service-docker:1.0</image>
<auth>
<username>plaintextusernameforRegistry</username>
<password>plaintestpasswordforRegistry</password>
</auth>
</to>
<from>
<image>openjdk:8</image>
</from>
<container>
<ports>
<port>8089</port>
</ports>
</container>
<allowInsecureRegistries>true</allowInsecureRegistries> <!-- this is commented on the first run.-->
</configuration>
</plugin>
When I run 'mvn compile jib:build' command from the console from the directory with pom.xml file, it does start the processing, however fails at a later stage with below error :-
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed, perhaps you should use a registry that supports HTTPS or set the configuration parameter 'allowInsecureRegistries': Failed to verify the server at https://example.registry.com/v2/inventory-service-docker/blobs/sha256:9cc2ad81d40d54dcae7fa5e8e17d9c34e8bba3b7c2cc7e26fb22734608bda32e because only secure connections are allowed.
When I run the same command after setting the configuration parameter 'allowInsecureRegistries' as suggested from above error, I get a different error as below :-
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:1.5.1:build (default-cli) on project inventory-service-docker: Build image failed: Failed to authenticate with registry example.registry.com/inventory-service-docker because: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Looks like some config that I'm missing when using JIB that does not connect to 'example.registry.com' securely.
回答1:
(Before I start, please don't use Jib 1.5.x, as the those versions have a network performance issue.)
JVM doesn't make use of the Windows certificate stores. This doc says
One big problem of the JRE is that it completely ignores the Windows certificate stores. Instead of using the windows certificate store it uses its own implementation
One potential option for Windows I just found in another answer is to start Java with -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT. But I haven't verified myself if this works.
Another way is to add your certificates to the default Java certificate store (truststore) file (cacerts). It is often located under <JDK>/lib/sercurity/ or <JRE>/jre/lib/security/.
There are multiple ways to add certificates (e.g., using various GUI tools). For example,
- on the command line
keytool.exe -import -storepass "changeit" -keystore "C:\Program Files (x86)\Java\jre1.8.0_144\lib\security\cacerts" -alias certificate.cer -file "C:\certificate.cer" -noprompt
- using a GUI tool called KeyStore Explorer
Lastly, for those who want to get some more ideas for troubleshooting this kind of Java cert issues, check out this comment.
来源:https://stackoverflow.com/questions/57812972/failure-on-push-to-docker-registry-using-mvn-compile-jibbuild