Hence imported the self-signed certificate of HTTPS external URL into Docker container's JRE cacert keystore.

因此将 HTTPS 外部 URL 的自签名证书导入到 Docker 容器的 JRE cacert 密钥库中。

No: you need to import it into the Docker imagefrom which you run your container.

否：您需要将其导入到运行容器的 Docker映像中。

Importing it into the container would only create a temporary writable data layer, which will be discarded when you restart your container.

将其导入容器只会创建一个临时的可写数据层，当您重新启动容器时，它将被丢弃。

Something like this answer:

像这样的答案：

USER root
COPY ldap.cer $JAVA_HOME/jre/lib/security
RUN \
    cd $JAVA_HOME/jre/lib/security \
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldap.cer

For using already configured java based containers like jenkins, sonarqubeor nexus(e. g. if you run your own build server) I find it more convenient to mount a suitable cacerts-file into these containers with a parameter for docker run .

对于使用已经配置的基于 Java 的容器，如jenkins、sonarqube或nexus（例如，如果您运行自己的构建服务器），我发现将合适的cacerts文件挂载到这些容器中并带有 docker run 参数更方便。

I use the cacertsfile from openjdkas base:

我使用cacerts来自openjdk的文件作为基础：

1. extracting cacertsfrom openjdkimage using a temporary container:

1. 使用临时容器cacerts从openjdk图像中提取：

docker pull openjdk:latest
docker run --rm --entrypoint cat openjdk:latest /etc/ssl/certs/java/cacerts > cacerts

2. adding certificate to the extracted cacertsusing a temporary container started from the same folder which also contains ldap.cer:

2. cacerts使用从同一文件夹启动的临时容器向提取的证书添加证书，该文件夹还包含ldap.cer：

docker run --rm -v `pwd`:/tmp/certs openjdk:latest bash -c 'cd /tmp/certs && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias buenting-root -file ldap.cer'

3. run your target docker container(s) mounting the extracted cacertswith a run-parameter, e. g. for sonarqube:

3. 运行您的目标 docker 容器cacerts，使用运行参数安装提取的内容，例如sonarqube：

docker run ... -v /path/to/your/prepared/cacerts:/etc/ssl/certs/java/cacerts:ro ... sonarqube:lts

If there is a new version of openjdkyou can update the cacerts-file on the host with commands from 1. and 2.

如果有新版本的openjdk，您可以cacerts使用 1. 和 2 中的命令更新主机上的 -file。

For updating the target image (e. g. sonarqube) you do not need to create your own image using Dockerfileand docker build.

要更新目标图像（例如sonarqube），您不需要使用Dockerfile和创建自己的图像docker build。

Here is my solution that worked for me within an image based on OpenJDK Java 11.

这是我在基于OpenJDK Java 11的图像中对我有用的解决方案。

The very first thing to mention that use can use either JDK image or JRE with required ca-certificates-javainstalled for the second choice

首先要提到的是，使用可以使用 JDK 映像或 JRE 并ca-certificates-java为第二选择安装所需

Here is the solution for JDK based image:

以下是基于 JDK 的映像的解决方案：

FROM openjdk:11-jdk-slim
WORKDIR /opt/workdir/

#.crt file in the same folder as your Dockerfile
ARG CERT="certificate.crt"

#import cert into java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt

...

And here is JREbased image:

这是基于JRE的图像：

FROM openjdk:11-jre-slim
WORKDIR /opt/workdir/

#installing ca-certificates-java to import the certificate
RUN mkdir -p /usr/share/man/man1 \
    && apt-get update \
    && apt-get install -y ca-certificates-java

#.crt file in the same folder as your Dockerfile
ARG CERT="certificate.crt"

#import cert into java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt

...