Fix CA certificate processing when a certificate is a symlink (#558)

Usually, a certificate in a mount will be a regular file. However in some environments, like when providing certificates via a `ConfigMap` in a Kubernetes context, the certificate file will be a symlink. Our CA certificate processing copies certificate files to a new location and since the symlink targets are hidden files in the same directory, those do not get copied along and symlinks could become broken. This patch dereferences symlinks when copying to avoid broken links. Signed-off-by: Nikolai Prokoschenko <[email protected]> Co-authored-by: Martijn Verburg <[email protected]>
adoptium · May 15, 2024 · be58348 · be58348
1 parent ea6cc98
commit be58348
Show file tree

Hide file tree

Showing 49 changed files with 153 additions and 89 deletions.
diff --git a/.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.crt b/.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRTCCAi2gAwIBAgIUIfl8I/yasxlsTEc30PLLRuleiCswDQYJKoZIhvcNAQEL
+BQAwMTEXMBUGCgmSJomT8ixkARkWB1RlbXVyaW4xFjAUBgNVBAMMDURvY2tlckJ1
+aWxkZXIwIBcNMjMwNjEyMTgyNDE1WhgPMzAwMzA4MTQxODI0MTVaMDExFzAVBgoJ
+kiaJk/IsZAEZFgdUZW11cmluMRYwFAYDVQQDDA1Eb2NrZXJCdWlsZGVyMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArfOgmluNXEIE7BWvt7jGgdZW/y5s
+N78FcpZdM8Z2FatvjJKvNmJ9OkkkOSNBhGKAWpHn19JMNdQ2nEmTHMetg0hiSqRI
+hBceAY4lDfOzxAyZGGpVzL9U1B9mOrX5O3EedF5AVvl0NZVjEwswuGaUa3zZBAKy
+Z5Vv/z8Lw2uYIs/dtw8lcpEAb78BZ8bAhhhl+X+tTGK8agibLGQJT9l/JxS3pXyw
+me4YaKQQRgvuqOTEt+x+0aA5E2EUTOGq0Li+i1ranf6ou5Dz/Y6LtXwT/j2bf4ZR
+w2YHpYZL54UEtMWES2KAjsZ3u4DCxUIEfW8EgxUIhcepIDP1h05A3fSiWQIDAQAB
+o1MwUTAdBgNVHQ4EFgQUr0VirSzDQTuNgGjDxRkxPFrjUKcwHwYDVR0jBBgwFoAU
+r0VirSzDQTuNgGjDxRkxPFrjUKcwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEAlo6ZSAIKSUWqRygyNg9oWuLGfWMW//dZjU1MKBYVpM4Mry/aMD5d
+kMQj9hm+zXhNYN01yLh/cdPKCQ/r1KP6lmCtZHp50Xe8HEnIymRYx0KMAcqYLjnT
+DXwCPqtWvJ1do65vVJRN70CuF8T1JNFhPdirrAiuU7bhGPABfnbek7yNkTYgUSdb
+WpV/WOFPh9Dl24vNl1/Cti+pQThlCgHF/+dVndFHN9FOOG8k8ohYkLwL+ZzKfOiZ
+CVWn2mWk2EhcuTlg/3zkXmwjfzFTdXMhS1sdfJNReaY/omJ91euxB0c8iYZV4wuU
+ghx+GJ14nO7RJNHNX4k+BBPxy3f56+cYrg==
+-----END CERTIFICATE-----
diff --git a/.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.key b/.test/tests/java-ca-certificates-update/certs_symlink/.dockerbuilder.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCt86CaW41cQgTs
+Fa+3uMaB1lb/Lmw3vwVyll0zxnYVq2+Mkq82Yn06SSQ5I0GEYoBakefX0kw11Dac
+SZMcx62DSGJKpEiEFx4BjiUN87PEDJkYalXMv1TUH2Y6tfk7cR50XkBW+XQ1lWMT
+CzC4ZpRrfNkEArJnlW//PwvDa5giz923DyVykQBvvwFnxsCGGGX5f61MYrxqCJss
+ZAlP2X8nFLelfLCZ7hhopBBGC+6o5MS37H7RoDkTYRRM4arQuL6LWtqd/qi7kPP9
+jou1fBP+PZt/hlHDZgelhkvnhQS0xYRLYoCOxne7gMLFQgR9bwSDFQiFx6kgM/WH
+TkDd9KJZAgMBAAECggEAAi4knsKpKn/xAATZO2LaFBcGZ0ji64Od/cduMB+w67PG
+yxAsmNsnqX3GBzROq3+GOdG3LPCSastNNZduJq/HAuH69Ly15E1GNOvzQXHtmHZg
+SzAhVqwK6WS3sI0xgZdOSSmZl1glkXqyRPMV333OUZbn68GykD331c8UZpTi5tlx
+qdOSEWwXQyVXh2mTT8uWWvqJm8OVaSUEo0KPNhsfWliINAXaDvlFle18wb0sQvAK
+d/49VMmEoQMocHcXas5jVHZZzxwQ8gV+cA1nFOzOEOYX1IyHjJdfEUWT7Pa3LEjg
+rPjEe/KiA3X9mVmofRG0Gvl8YjMiUEOBF/p9hgUxfQKBgQDY3oBUpkwhy3lRw2nu
+PublbozVZi12hrEPIlqLSIda6i0hbCA2E5VBykuP7z0VnQOiHQWQPJ77BYEzR6xw
+Z/PoJJL8knxtqVg9FsQlcsseDNW2THp53vf/Fiy4t+GoJZ7yezVyYI7RzngDPnCw
+buiYUsd9+uKo8+Gs0fnZGSuRvQKBgQDNVrS2/A8NKRv/3cddNqEN4m16pVmAJg8G
+Ww7t40W9c/lPW2SBH7wpEUW37N3b8lv1A8L24nJSbqiMjIkFxWroeOeFFEzKWp9r
+BlFUu0kn5oAOI1NJOEOmjR9+SslDXetKDJpon60GYWJ8ke5jfaYUTEWIxUXRYOsX
+mg8+L2iGzQKBgQCrzWiAptU9GIJdoZ8znCUysKdlDvMJKJ7vzFlKagTAoy9pgMzr
+ygu9+NJvjikoDCEqti8IGt4fIjc+NpOG4PM6fm7rI+jqvvMmQfjVaeE7RxOuvVtx
+XI++RwTauOFNYbBPjAfFOnUqBJTSjQ6c1t/we/OJ+8y/56RqUlXKBMSdSQKBgQDD
+Wz2dZduwCq9/0/FL5qB9hDHiYJPxDsR2qIVgoDyGjWLhNDM/ggDTFYK+BNXi3wbL
+6aNAnZpkgLFM3puyaOtYd0bVXsXcMzG+cglI0tI76tlkGgmv/J6oQ1V2IxKuTBmB
+ntH8vgWwr1Ay8efasf0jDJmPERhmpo2kK8daw2Hv9QKBgAaxusMUdCSBu5YwI6u4
+6d0nN6WdY2aVcgQXbhJEpsaxT9KqN+LP5wZNf08hyUiO4zSrfVOapOS+10Ng1EYi
+YQi8SjQd5deIc/jKKT5k9lCRcfhDq7YQo5pZbUgzDDuxod0WduvBnrf4zAl+K32V
+1HI3wrgh88qBEGASVY8y6rDH
+-----END PRIVATE KEY-----
diff --git a/.test/tests/java-ca-certificates-update/certs_symlink/README.md b/.test/tests/java-ca-certificates-update/certs_symlink/README.md
@@ -0,0 +1 @@
+This certificate/key pair has been generated with `openssl req -nodes -new -x509 -days 358000 -subj "/DC=Temurin/CN=DockerBuilder" -keyout certs/dockerbuilder.key -out certs/dockerbuilder.crt` and is only used for testing
diff --git a/.test/tests/java-ca-certificates-update/certs_symlink/dockerbuilder.crt b/.test/tests/java-ca-certificates-update/certs_symlink/dockerbuilder.crt
@@ -0,0 +1 @@
+.dockerbuilder.crt
diff --git a/.test/tests/java-ca-certificates-update/expected-std-out.txt b/.test/tests/java-ca-certificates-update/expected-std-out.txt
@@ -1 +1 @@
-01010100010101010001
+010101000001010101000001
diff --git a/.test/tests/java-ca-certificates-update/run.sh b/.test/tests/java-ca-certificates-update/run.sh
@@ -61,7 +61,14 @@ echo -n $?
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
 echo -n $?
 
-# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# Test run 5: Certificates are mounted and are symlinks (e.g. in Kubernetes as `Secret`s or `ConfigMap`s) and the
+# environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 6: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
 # CMD1 to succeed and CMD2 to fail.
 docker run --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null
 echo -n $?
@@ -98,7 +105,14 @@ echo -n $?
 docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$1" "${CMD2[@]}" >&/dev/null
 echo -n $?
 
-# Test run 5: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
+# Test run 5: Certificates are mounted and are symlinks (e.g. in Kubernetes as `Secret`s or `ConfigMap`s) and the
+# environment variable is set. We expect both CMD1 and CMD2 to succeed.
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" $CMD1 >&/dev/null
+echo -n $?
+docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs_symlink:/certificates "$1" "${CMD2[@]}" >&/dev/null
+echo -n $?
+
+# Test run 6: Certificates are mounted and the environment variable is set, but the entrypoint is overridden. We expect
 # CMD1 to succeed and CMD2 to fail.
 #
 docker run --read-only --user 1000:1000 -v /tmp --rm -e USE_SYSTEM_CA_CERTS=1 --volume=$testDir/certs:/certificates "$TESTIMAGE" $CMD1 >&/dev/null

diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jdk/centos/entrypoint.sh b/11/jdk/centos/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jre/centos/entrypoint.sh b/11/jre/centos/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jdk/centos/entrypoint.sh b/17/jdk/centos/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jre/centos/entrypoint.sh b/17/jre/centos/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi
 

diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh
@@ -58,12 +58,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then
 
             # UBI/CentOS
             if [ -d /usr/share/pki/ca-trust-source/anchors/ ]; then
-                cp -a /certificates/* /usr/share/pki/ca-trust-source/anchors/
+                cp -La /certificates/* /usr/share/pki/ca-trust-source/anchors/
             fi
 
             # Ubuntu/Alpine
             if [ -d /usr/local/share/ca-certificates/ ]; then
-                cp -a /certificates/* /usr/local/share/ca-certificates/
+                cp -La /certificates/* /usr/local/share/ca-certificates/
             fi
         fi