要約

This article explains how to add the TLS certificate to the Java trust store when Bitbucket runs in a Docker container. When running a dockerized Bitbucket, the procedure to alter the Java trust store differs from the case where Bitbucket is started directly on the server.

環境

Bitbucket 7.21.10, but also applicable to other versions.

ソリューション

Steps to add a TLS certificate to the Java trust store inside a Docker container include copying the trusted certs store out of the running Docker container, adding the required certs to it, and re-running the Bitbucket container with a modified trust store mounted into it. 

1. Get the original Java trust store from running Bitbucket container. That means copying the Java trust store out of the Docker container.
   An example of the command to use is

   docker cp <Bitbucket_Container>:/opt/java/openjdk/lib/security/cacerts /path/to/copy_of_cert_store

2. Add all the certificates you need to the copy_of_cert_store trust store. You can do that manually using a keytool on your workstation or on the server itself.
   Use the document How to import a public SSL certificate into a JVM  as a guide on adding the certificate to a trust store.
   
   

   Be sure to use the keytool from the same JVM version as the one Bitbucket runs within the Docker container!

3. Reconfigure your Docker container deployment or orchestration system to mount the external, modified trust store file to the Docker container and restart the Bitbucket container.
   An example command to start Bitbucket in a Docker container with a mounted modified trust store:

   docker run -d \
       --name <Bitbucket_Container> \
       ...
       ...
       -v /path/to/copy_of_cert_store:/opt/java/openjdk/lib/security/cacerts \
       ...
       ...

When using this approach, you would have to repeat steps 1 and 2 only when you upgrade the container to a newer Bitbucket version.