How to add a self-signed certificate?

Some customers need CodeScene to be able to connect to an internal server using a self-signed certificate for things like:

  • Fetching pm-data
  • Cloning repos with https url:s

The problem with that is that the certificate needs to be made available in the keystore used by the Java runtime inside the codescene docker container. This can be done by doing the following steps:

  1. Get the certificate from the server (there are other ways to get the certificate, like exporting from a browser):

    openssl s_client -showcerts -connect your.server < /dev/null | openssl x509 -outform pem > cert.pem

  2. Create truststore with a self-signed certificate  (you will be asked to set a password, also answer yes when asked to trust the certificate):

    keytool -import -alias mykey -keystore mytruststore.ks -file cert.pem

  3. Import the Java cacerts (the source password is empty, just press enter;  the destination password is the one set above):

    keytool -importkeystore -srckeystore $(/usr/libexec/java_home)/lib/security/cacerts -destkeystore mytruststore.ks

  4.  
    1. When using a standalone JAR: Specify the truststore on the command line (use the password from above):

      java -Djavax.net.ssl.trustStore=mytruststore.ks -Djavax.net.ssl.trustStorePassword=mypwd -jar codescene-enterprise-edition.standalone.jar

    2. When using the docker container: Use the JAVA_OPTIONS variable used in our image and mount the location of the truststore. This can be accomplished by adding something like this to docker-compose.yml :

      environment:
      - JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/mytruststore.ks -Djavax.net.ssl.trustStorePassword=mypwd
      volumes:
      - ./mytruststore.ks:/mytruststore.ks