What are the platform requirements to use aws-c-io?

[ghilainm]

Hello,

I am trying to use the aws-crt-client in my Java application. However, while it works locally, I can't make it work in some container, depending on the base image used. What are the requirements in term of packages/libraries to have a compliant docker image?

With ghcr.io/bell-sw/liberica-runtime-container:jre-23-cds-glibc as base image it works fine. With the slim version ghcr.io/bell-sw/liberica-runtime-container:jre-23-cds-slim-glibc it does not.

I have tried to tune the slim version to include openssl which I though was the only dependency but that's only a guess. Sorry in advance if my question is a bit naive :).

Here is the Dockerfile I have used to try to fix the issue.

# Stage 1: Build with OpenSSL from Alpine
FROM ghcr.io/bell-sw/liberica-runtime-container:jre-23-cds-glibc as builder

FROM ghcr.io/bell-sw/liberica-runtime-container:jre-23-cds-slim-glibc

COPY /build/libs/app.jar /app/build/libs/app.jar
COPY aws-root-cas.pem /etc/ssl/certs/aws-root-cas.pem

# Create lib and include folders
RUN mkdir -p /usr/lib /usr/include

# Copy OpenSSL libs and headers
COPY --from=builder /usr/lib/libssl.so.3 /usr/lib/
COPY --from=builder /usr/lib/libcrypto.so* /usr/lib/

RUN ldconfig

ENV AWS_CA_BUNDLE=/etc/ssl/certs/$awsRootCasFinalName
ENV AWS_REGION=us-east-1
ENV _JAVA_OPTIONS="-Daws.crt.debugnative=true -Daws.crt.log.destination=Stdout -Daws.crt.log.level=Trace"

ENTRYPOINT ["java", "-jar", "/app/build/libs/app.jar"]

With this container I always ends up with the following error when trying to inialialize the TLS connection:

id=0x7fc87c001d00: negotiation failed with error Certificate is untrusted (Error encountered in /codebuild/output/src1861706884/src/aws-crt-java/crt/s2n/tls/s2n_x509_validator.c:724)

While with the non-slim image, I don't have any issue.

[waahm7]

What are the requirements in term of packages/libraries to have a compliant docker image?

There are no explicit requirements. AWS-CRT-Java packages Aws-lc on Linux and doesn't need OpenSSL to work.

AWS-CRT-Java doesn't use the Java trust store. See https://github.com/awslabs/aws-crt-java?tab=readme-ov-file#tls-behavior. Something like

ENV AWS_CA_BUNDLE=/etc/ssl/certs/$awsRootCasFinalName

will not work. You will need to add the cert to the OS trust store with something like update-ca-certificates

[ghilainm]

@waahm7 Thanks for your answer, how do you explain then that it does not work with the slim version ? There must be something missing isn’t it?

[waahm7]

My guess would be that slim version is missing properly configured ca-certificates.

[ghilainm]

@waahm7 i configured them in the same way on both version, I could verify it works fine as I have a different error message if I don’t configure them.

[waahm7]

Did you try running update-ca-certificates as suggested?

[ghilainm]

Hello @waahm7, you were right the AWS_CA_BUNDLE is indeed ignored. I was tricked by the fact those cert are by default available in standard ubuntu/non-slim images.

As the command you mentionned is not available in my setup I could not run it but I did this instead in my Dockerfile which was working fine.

# Deleted all useless cert and copy only AWS trusted repository ones.
RUN rm /etc/ssl/certs/*
COPY aws-root-cas.pem /etc/ssl/certs/ca-certificates.crt