openssl 无法在 AWS ECS 容器上创建或写入 p12 文件

Question

I have two docker images, one is a base image and the other uses the base image to create a more specific image for a Java microservice.

The base image calls an entrypoint bash script, which in turn calls a Python script. I wasn't involved in the initial setup of this so can't comment on why it is done this way, but it spins up the microservice fine so there is no issue with it as it is.

However in the Python script I am now trying to add some extra Java SSL parameters to support HTTPS traffic. I'm quite new to this but others in my company have done a similar thing which has worked.

In my Python script I'm running openssl to create cert files, using AWS SSM parameters for the content. openssl should then output a "bundle.p12" file, collection of the certs.

What I'm finding is that the script cannot create this bundle.p12 file. I have since tried having a blank bundle.p12 file already on the container, but then it cannot write to it, ie it remains blank.

subprocess.run(['sudo', 'openssl', 'pkcs12', '-export', '-password', 'env:PASSWORD', '-in', './microservice/cloudwild.crt', '-certfile', './microservice/cloudchain.pem', '-inkey' ,'./microservice/cloudwild.key', '-name', 'bundle', '-out', './microservice/bundle.p12'])
subprocess.run(['ls','-la','./microservice'])
subprocess.run(['keytool', '-importkeystore', '-noprompt', '-deststorepass', '$PASSWORD', '-srcstorepass', '$KEYSTORE_PASSWORD', '-destkeystore', './microservice/keystore.p12', '-deststoretype', 'pkcs12', '-srckeystore', './microservice/bundle.p12', '-srcstoretype', 'PKCS12'])

The ls -la command after openssl shows that bundle.p12 is still 0 bytes. keytool then throws an error saying the p12 file exists, but is blank.

So the issue appears to be openssl and what looks like permissions. However in the base image dockerfile I am setting the whole folder the p12 file is in, and the p12 file itself, to a user "bob" and switching to that user prior to calling the entrypoint bash script (which calls the python script).

I'm not sure what the issue could be here, whether it's to do with having two images involved, it being on a container, or something around the p12 file permissions.

If I run the same openssl and keytool commands locally, it works fine and puts the bundle of certs in the keystore.

I appreciate I have left some other specifics of code out (dockerfile for example) so can share these if needed, but hoping someone has a broader opinion on what could be the problem with editing the p12 file.

Answer 1

My issue here was the paths for the cert files and p12 file. I had to use os.path.join to pass the paths in that way.