Reputation: 979
unable to add certificates to alpine linux container
I have a small python app inside an alpine linux container, here is the dockerfile:
FROM alpine
# basic flask environment
RUN apk add --no-cache bash git nginx uwsgi uwsgi-python py2-pip \
&& pip2 install --upgrade pip \
&& pip2 install flask
# application folder
ENV APP_DIR /app
ENV FLASK_APP app.py
# app dir
RUN mkdir ${APP_DIR} \
&& chown -R nginx:nginx ${APP_DIR} \
&& chmod 777 /run/ -R \
&& chmod 777 /root/ -R
VOLUME [${APP_DIR}]
WORKDIR ${APP_DIR}
# copy config files into filesystem
COPY nginx.conf /etc/nginx/nginx.conf
COPY app.ini /app.ini
COPY entrypoint.sh /entrypoint.sh
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./cert.pem /usr/local/share/ca-certificates/mycert.pem
COPY ./key.pem /usr/local/share/ca-certificates/mykey.pem
COPY ./ssl_password_file.pass /etc/keys/global.pass
RUN update-ca-certificates
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["/entrypoint.sh"]
This worked fine 2 weeks ago, but when i tried to rebuild it recently i got this error:
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping
so I checked those files, and found that for some reason, now the file ca-certificates.crt now has a chain of certificates. I found this on stack overflow:
/etc/ssl/certs/ca-certificates.crt is actually appending each individual cert from /usr/local/share/ca-certificates.
but what changed? why is this now a problem? So i tried reverting to an older version of alpine linux - same problem. I tried recreating the certificates, I tried removing a whole bunch of certificates from the container, I checked the pem files before the update to make sure they are only a single certificate, and apparently directly after running
RUN update-ca-certificates
many certificates appear. help ?
Upvotes: 37
Views: 149603
Answers (6)
Reputation: 51
Even after adding the self-signed certs to /etc/ssl/certs/ca-certificates.crt, the @azure/openai library still refused to use them.
I had to add: ENV NODE_EXTRA_CA_CERTS=/usr/src/certs/cacert.pem to my Dockerfile to create the NODE_EXTRA_CA_CERTS env var.
Upvotes: 0
Reputation: 442
A little off topic because OP asked help for alpine, and I was using node:16 as base image in my dockerfile, but I would like to share my case just as a precedent. I was installing my RootCA properly, but beyond the "normal" warning my container was not taking the new certificate even when it was indexed in /etc/ssl/certs/ca-certificates.crt.
I was struggling since 3 hours ago with this no-sense bug; so, I just moved to node:18-bullseye (or greater) and then the certificate installed properly.
Upvotes: 2
Reputation: 137
That’s how it works for me
ADD .docker/cert/root2022.cer /usr/local/share/ca-certificates/root2022.cer
RUN openssl x509 -inform PEM -in /usr/local/share/ca-certificates/root2022.cer -out /usr/local/share/ca-certificates/certificate.crt
RUN chmod 644 /usr/local/share/ca-certificates/certificate.crt && update-ca-certificates
Upvotes: 2
Reputation: 151
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping
OP mentioned two warnings, which includes the pem file to be added. Only the first warning can be ignored. The second warning is caused by the pem file containing more than one certificate, which is entirely valid but handled poorly by update-ca-certificates.
Instead, you can append the cert file's contents directly:
cat ca-cert-mykey.pem.pem >> /etc/ssl/certs/ca-certificates.crt
Another use case for CI config:
echo "$ADDITIONAL_CA_CERT_BUNDLE" >> /etc/ssl/certs/ca-certificates.crt
Upvotes: 15
Reputation: 21
In my case, I had to execute the update-ca-certificates before add any package. But it fails if the /etc/ssl/certs/ doesn't exists.
So, I add RUN mkdir -p /etc/ssl/certs/ && update-ca-certificates on my Dockerfile before the RUN apk add ....
Upvotes: 2
Reputation: 3442
I think below worked for me (I was adding a root certificate on blackfire/blackfire image which extends from alpine):
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* \
mkdir /usr/local/share/ca-certificates/extra
COPY .docker/other/cert_Intertrials-CA.crt /usr/local/share/ca-certificates/extra
RUN update-ca-certificates
I then logged into that VM and see it has added it to the merged cert file, /etc/ssl/certs/ca-certificates.crt (I believe i heard it takes each cert file from inside /usr/local/share/ca-certificates and merges into the /etc/ssl/certs/ca-certificates.crt file).
Now you will get that 'does not contain exactly one certificate or CRL: skipping' error probably, but i heard that is fine.
https://github.com/gliderlabs/docker-alpine/issues/30 mentions: "that this is just a warning and shouldn't affect anything."
https://github.com/gliderlabs/docker-alpine/issues/52
mentions:
"The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself)."
"The warning shown is normal."
Upvotes: 30
Related Questions
- Why I get SSL errors while installing packages on Docker(on mac)?
- How to add trusted root CA to Docker alpine
- Docker build error: failed to add the host
- Alpine 3.8 Docker image: Enabling SSL on libmongoc
- Adding SSL certificates to Docker linux container
- How to specify and use a cert file during a docker build
- How can I install Docker inside an alpine container?
- How to run localhost with https in httpd alpine inside a Docker Container?
- How to pass the content of certificate generated to destination file
- Add certificate into Dockerfile (rhel7)