Setting up Jetty Runner with custom cert in docker buildfile

I am currently building a Dockerfile to build our webapp in java and I am having a problem that you need to use your own .cert key to log in over SSL with logstash-logback-forwarder, whereas the webapp itself needs to do SSL- connections (SOAP SSL connection). The point is, I can register SSL and the webapp can reliably use the SOAP API (it has always been able to do this), but I cannot do both at the same time.

For starters, here are the relevant parts of my docker build file

ADD logstash-forwarder.crt /root/logstash-forwarder.crt
RUN (cd /root && /usr/java/latest/bin/keytool -import -file logstash-forwarder.crt -alias logstash -storepass SOMEPASS -noprompt -keystore logstash.keystore)

      

        
        
        
      

    

This adds a crt file and then uses the keytool to import into the keyStore. I am using logstash-logback-forwarder which uses the standard one SSLSocketFactory

(i.e. https://github.com/logstash/logstash-logback-encoder/blob/master/src/main/java/net/logstash/logback/appender/ SSLLogstashTcpSocketAppender.java )

Then I start my java site (via jetty-webrunner) using this command

CMD java -Dlogback.configurationFile=/root/logback.xml \
  -Djavax.net.ssl.keyStorePassword=SOMEPASS \ 
  -Djavax.net.ssl.keyStoreType=pkcs12 \
  -Djavax.net.ssl.trustStoreType=jks \ 
  -Djavax.net.ssl.trustStore=logstash.keystore \
  -Djavax.net.ssl.trustStorePassword=SOMEPASS \
  -server -ea -XX:+UseConcMarkSweepGC \
  -XX:+CMSClassUnloadingEnabled \
  -Xmx2048M -jar jetty-runner-9.2.3.v20140905.jar \
  --port 8080 \
  --lib "/root/lib" \
  --config jetty.xml \
  jetty-web.xml

      

        
        
        
      

    

Now with the following command secure logging works fine over SSL, the problem is the web application can no longer securely connect to the SOAP API it needs to use, I get the following error (provided by java stacktrace)

AxisFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
 faultSubcode: 
 faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 faultActor: 
 faultNode: 
 faultDetail: 
    {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1471)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:871)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
    at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
    at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
    at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
    at org.apache.axis.client.Call.invoke(Call.java:2767)
    at org.apache.axis.client.Call.invoke(Call.java:2443)
    at org.apache.axis.client.Call.invoke(Call.java:2366)
    at org.apache.axis.client.Call.invoke(Call.java:1812)

      

        
        
        
      

    

Now obviously if I remove SSL completely (obviously the registration will stop working) by doing this

CMD java -Dlogback.configurationFile=/root/logback.xml \
  -server -ea -XX:+UseConcMarkSweepGC \
  -XX:+CMSClassUnloadingEnabled \
  -Xmx2048M -jar jetty-runner-9.2.3.v20140905.jar \
  --port 8080 \
  --lib "/root/lib" \
  --config jetty.xml \
  jetty-web.xml

      

        
        
        
      

    

The SOAP over SOA support axis works fine, but SSL does not work. I know you can concatenate keystores using keytool

, but I haven't embraced it (it's a lot more complicated than passing a single flag .crt file, which most non-Java applications have to do). How would you import .keystore to make it work correctly (and what would the equivalent docker commands be?)

JDK 8 is running on the server