Docker and SSL connections

Forgive me for any perceived frustration, but I honestly think this should be easier.

I've used Flyway for many years, and I am currently in a situation where I have an RDS Aurora server in a locked down VPC, so any migration needed must take place using a CodeBuild project in the VPC. Also, that RDS will only accept TLS connections due to compliance requirements. I have a separate and similar configuration that doesn't need TLS, and I have Flyway running fine using the off-the-shelf Docker container.

However, getting a secure connection to the database for migration using the standard Docker container is not possible. In order to do so, it is necessary to build a NEW container to insert certificates into the Java keystore. I have run across several folks trying to explain how to do this (including the one recommended by Redgate (, and have also followed the description here: ( and nothing seems to be working. What's more frustrating in my case is that I don't really know Java that well, especially managing certs in their native system. I would expect that with a Docker container, I wouldn't have to.

I've narrowed this down to two different conditions - using the default keystore (of which I don't have the password), and a new keystore that gives a fairly common error for which I have yet to find the magic command. These are from my Dockerfile:

Default keystore (I don't know the password)
<div>RUN $JAVA_HOME/bin/keytool -keystore $JAVA_HOME/lib/security/cacerts -storepass popcorn -noprompt -trustcacerts -alias "rds-ca-bundle" -import -file ./rds-ca-bundle.pem<br></div><div></div>
Warning: use -cacerts option to access cacerts keystore<br>keytool error: Keystore was tampered with, or password was incorrect

Custom keystore:
RUN $JAVA_HOME/bin/keytool -keystore $JAVA_HOME/rds_ca_keystore -storepass popcorn -noprompt -trustcacerts -alias "rds-ca-bundle" -import -file ./rds-ca-bundle.pem<br>ENV$JAVA_HOME/rds_ca_keystore<br>
Unexpected error: the trustAnchors parameter must be non-empty

Thanks for any help you can provide. I would be nice to include via a volume the .pem that AWS provides. I see that there was a PR created last year that attempts to fix this. but it appears to be dormant. I would also state that I can see my case being unusual. Aren't cloud based DB's and TLS connections on the rise?




  • Not at all cajund, I can empathise, modifying pre-existing Docker isn't as straight forward as one would hope!

    Our doc on SSL support is admittedly must more useful in a native environment rather than a prepackaged one. I'm not familiar with the joaorosa article, but having read it showing a modified Docker file, I'd conclude that at minimum that required recomposing the Docker image, which isn't the sort of minor edit I anticipate most people would be looking for.

    I feel like it should be possible to introduce a Docker entrypoint to sideload the required cert, but I don't know for sure, I'll investigate and let you know what I find.
    Kind regards
    Peter Laws | Redgate Software
    Have you visited our Help Center?
  • cajundcajund Posts: 5 New member
    Thanks for your help. This is from last year:

    I think it's headed in the right direction, but doesn't work as is. My attempt was even simpler this this one. No dice.

  • Ah thank you, I can see from that issues history that some of the devs who would likely perform this work have also acted on it so I'll discuss this with them and then come back to you.
    Kind regards
    Peter Laws | Redgate Software
    Have you visited our Help Center?

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file