JDK 10 modules and sun.security.provider.certpath.SunCertPathBuilderException
I used to run my application on the openjdk:10-slim docker image and everything worked fine.
I then migrated to a custom JDK built with Jlink using the following dockerfile:
FROM openjdk:10-jdk-slim AS jdkBuilder
RUN $JAVA_HOME/bin/jlink \
--module-path /opt/jdk/jmods \
--verbose \
--add-modules java.base,java.logging,java.xml,java.xml.bind,java.sql,jdk.unsupported,java.naming,java.desktop,java.management,java.security.jgss,java.security.sasl, jdk.crypto.cryptoki,jdk.crypto.ec,java.instrument,jdk.management.agent \
--output /opt/jdk-minimal \
--compress 2 \
--no-header-files
FROM debian:9-slim
COPY --from=jdkBuilder /opt/jdk-minimal /opt/jdk-minimal
ENV JAVA_HOME=/opt/jdk-minimal
COPY target/*.jar /opt/
CMD $JAVA_HOME/bin/java $JAVA_OPTS -jar /opt/*.jar
This mostly works fine when I use the AWS S3 SDK, in which case I get the following exception:
com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I’m guessing these certificates (or the way to access them) are provided by a missing package that I didn’t include.
I did some digging but couldn’t find any relevant information. I tried adding any modules that might be security or SSL-related, but I had no luck.
Has anyone ever encountered this issue and knows which module needs to be added?
As a workaround, I reverted to openjdk:10-slim but I want to use jlink because it makes my image smaller
Solution
The exception indicates that your environment is missing some root certificates.
Try copying cacerts from openjdk:10-slim to the JDK you are using.