Re: [PR] KNOX-3333 - Update Letsencrypt staging certs [knox]

Wed, 03 Jun 2026 05:35:10 -0700 


smolnar82 commented on code in PR #1244:
URL: https://github.com/apache/knox/pull/1244#discussion_r3348468632


##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -247,7 +287,16 @@ do
     fi
 done
 
-export KNOX_GATEWAY_DBG_OPTS="${KNOX_GATEWAY_DBG_OPTS} 
-Djavax.net.ssl.trustStore=${KEYSTORE_DIR}/truststore.jks 
-Djavax.net.ssl.trustStorePassword=${ALIAS_PASSPHRASE}"
+# To avoid leaking password into the process command line 
+# we pass the trust options through a 0600 Java argument file. 
+# Java launcher expands @file after exec, so only "@<path>" appears in the 
process args.
+TRUSTSTORE_JVM_OPTS_FILE="${KEYSTORE_DIR}/truststore-jvm.options"
+cat > "${TRUSTSTORE_JVM_OPTS_FILE}" <<EOF
+-Djavax.net.ssl.trustStore=${KEYSTORE_DIR}/truststore.jks
+-Djavax.net.ssl.trustStorePassword="${ALIAS_PASSPHRASE}"
+EOF
+chmod 600 "${TRUSTSTORE_JVM_OPTS_FILE}"

Review Comment:
   This is a nice addition, I like that a lot :)



##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -30,6 +30,9 @@
 # - DATABASE_CONNECTION_PASSWORD - (optional) gateway database password
 # - DATABASE_CONNECTION_TRUSTSTORE_PASSWORD - (optional) gateway database ssl 
truststore password
 # - CUSTOM_CERT - (optional) the location of a file containing the custom certs
+# - IMPORT_DEFAULT_STAGING_CERTS - (optional) when 'true' (default), download 
Let's Encrypt staging root

Review Comment:
   I'd call this ENV variable `IMPORT_LETS_ENCRYPT_STAGING_CERTS` (to be honest 
the `DEFAULT` word inside made me think what this is about).
   Additionally: you indicate the default is `true`, but this isn't the case 
(see below, line 47 sets it to `false` if not configured).



##########
gateway-docker/src/main/resources/docker/gateway-entrypoint.sh:
##########
@@ -76,6 +82,27 @@ importMultipleCerts() {
   return "$import_failed"
 }
 
+## Download Let's Encrypt staging root CAs (best-effort) when 
IMPORT_DEFAULT_STAGING_CERTS is true.
+downloadDefaultStagingCerts() {

Review Comment:
   `downloadLetEncryptStagingCerts` maybe?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to