SunCertPathBuilderException at image amazoncorretto:21

[raphaeljpb]

I'm having problems to add a custom certificate to Java Cacerts. It works at image amazoncorretto:21.0.2-al2023-headless, but throws exception at image amazoncorretto:21. I'm using keytool to import the certificate. Is the any difference between the two images related to keytool and cacert management ?

amazoncorreto:21

sijurel | javax.net.ssl|ERROR|A2|http-nio-7070-exec-1|2024-02-20 15:18:47.664 BRT|TransportContext.java:370|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
sijurel | "throwable" : {
sijurel | sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sijurel | at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)

amazoncorretto:21.0.2-al2023-headless

sijurel | 14:10:29 DEBUG - jdk.event.security : ValidationChain: 3822549688, 2605480992
sijurel | 14:10:29 DEBUG - jdk.event.security : X509Certificate: Alg:SHA1withRSA, Serial:ce7e0e517d846fe8fe560fc1bf03039, Subject:CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, Issuer:CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, Key type:RSA, Length:2048, Cert Id:3434562768, Valid from:11/9/06, 9:00 PM, Valid until:11/9/31, 9:00 PM
.....

[lutkerd]

The images contain a different set of certificates in the keystore. The amazoncorretto:21 has all of the certificates from Amazon Linux 2 as well as those from upstream OpenJDK, amazoncorretto:21.0.2-al2023-headless only contains the certificates from Amazon Linux 2023. The error seems to say that some intermediate certificates in the chain are missing and those should be added before adding this certificate that is failing.