Actually, the underlying issue is that the built-in cacerts does not recognize a Digi-signed cert - it works in every web browser.
But no worries, I supposed I could just mount my trustStore wherever and make up a password - pretty clunky already, but doable
-Djavax.net.ssl.trustStore=trustStore.jks \ -Djavax.net.ssl.trustStorePassword='change me'
butttt those flags don’t seem to work. I have run
bash on the container and checked all my mounts, etc.
edit: I have found a workaround by literally mounting a file as $JAVA_HOME/lib/security/cacerts which is my trustStore - this is clunky because on a priori knowledge of what JAVA_HOME is - and gives me low confidence that it will always be /opt/java/openjdk