Gil Zellner
Gil Zellner

Reputation: 979

unable to add certificates to alpine linux container

I have a small python app inside an alpine linux container, here is the dockerfile:

FROM alpine

# basic flask environment
RUN apk add --no-cache bash git nginx uwsgi uwsgi-python py2-pip \
    && pip2 install --upgrade pip \
    && pip2 install flask

# application folder
ENV APP_DIR /app
ENV FLASK_APP app.py

# app dir
RUN mkdir ${APP_DIR} \
    && chown -R nginx:nginx ${APP_DIR} \
    && chmod 777 /run/ -R \
    && chmod 777 /root/ -R
VOLUME [${APP_DIR}]
WORKDIR ${APP_DIR}

# copy config files into filesystem
COPY nginx.conf /etc/nginx/nginx.conf
COPY app.ini /app.ini
COPY entrypoint.sh /entrypoint.sh

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./cert.pem /usr/local/share/ca-certificates/mycert.pem
COPY ./key.pem /usr/local/share/ca-certificates/mykey.pem
COPY ./ssl_password_file.pass /etc/keys/global.pass
RUN update-ca-certificates

COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["/entrypoint.sh"]

This worked fine 2 weeks ago, but when i tried to rebuild it recently i got this error:

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping

so I checked those files, and found that for some reason, now the file ca-certificates.crt now has a chain of certificates. I found this on stack overflow:

/etc/ssl/certs/ca-certificates.crt is actually appending each individual cert from /usr/local/share/ca-certificates.

but what changed? why is this now a problem? So i tried reverting to an older version of alpine linux - same problem. I tried recreating the certificates, I tried removing a whole bunch of certificates from the container, I checked the pem files before the update to make sure they are only a single certificate, and apparently directly after running

RUN update-ca-certificates

many certificates appear. help ?

Upvotes: 37

Views: 149603

Answers (6)

Azrrik
Azrrik

Reputation: 51

Even after adding the self-signed certs to /etc/ssl/certs/ca-certificates.crt, the @azure/openai library still refused to use them.

I had to add: ENV NODE_EXTRA_CA_CERTS=/usr/src/certs/cacert.pem to my Dockerfile to create the NODE_EXTRA_CA_CERTS env var.

Upvotes: 0

José Pulido
José Pulido

Reputation: 442

A little off topic because OP asked help for alpine, and I was using node:16 as base image in my dockerfile, but I would like to share my case just as a precedent. I was installing my RootCA properly, but beyond the "normal" warning my container was not taking the new certificate even when it was indexed in /etc/ssl/certs/ca-certificates.crt.

I was struggling since 3 hours ago with this no-sense bug; so, I just moved to node:18-bullseye (or greater) and then the certificate installed properly.

Upvotes: 2

Konstantin
Konstantin

Reputation: 137

That’s how it works for me

ADD .docker/cert/root2022.cer /usr/local/share/ca-certificates/root2022.cer
RUN openssl x509 -inform PEM -in /usr/local/share/ca-certificates/root2022.cer -out /usr/local/share/ca-certificates/certificate.crt
RUN chmod 644 /usr/local/share/ca-certificates/certificate.crt && update-ca-certificates

Upvotes: 2

EclecticEgg
EclecticEgg

Reputation: 151

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping

OP mentioned two warnings, which includes the pem file to be added. Only the first warning can be ignored. The second warning is caused by the pem file containing more than one certificate, which is entirely valid but handled poorly by update-ca-certificates.

Instead, you can append the cert file's contents directly:

cat ca-cert-mykey.pem.pem >> /etc/ssl/certs/ca-certificates.crt

Another use case for CI config:

echo "$ADDITIONAL_CA_CERT_BUNDLE" >> /etc/ssl/certs/ca-certificates.crt

Upvotes: 15

In my case, I had to execute the update-ca-certificates before add any package. But it fails if the /etc/ssl/certs/ doesn't exists.

So, I add RUN mkdir -p /etc/ssl/certs/ && update-ca-certificates on my Dockerfile before the RUN apk add ....

Upvotes: 2

armyofda12mnkeys
armyofda12mnkeys

Reputation: 3442

I think below worked for me (I was adding a root certificate on blackfire/blackfire image which extends from alpine):

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* \
  mkdir /usr/local/share/ca-certificates/extra
COPY .docker/other/cert_Intertrials-CA.crt /usr/local/share/ca-certificates/extra
RUN update-ca-certificates

I then logged into that VM and see it has added it to the merged cert file, /etc/ssl/certs/ca-certificates.crt (I believe i heard it takes each cert file from inside /usr/local/share/ca-certificates and merges into the /etc/ssl/certs/ca-certificates.crt file).

Now you will get that 'does not contain exactly one certificate or CRL: skipping' error probably, but i heard that is fine.

https://github.com/gliderlabs/docker-alpine/issues/30 mentions: "that this is just a warning and shouldn't affect anything."

https://github.com/gliderlabs/docker-alpine/issues/52 mentions: "The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself)."
"The warning shown is normal."

Upvotes: 30

Related Questions