CODEWITHSUNDEEP
dockersslcertificatealpine-linuxman-in-the-middle
bedla.czech
bedla.czech

Reputation: 1239

How to add trusted root CA to Docker alpine

Suppose I am at network where there is MITM SSL swaping firewall (google.com is not issued by Google, but reissued by custom CA root authority) some more details here https://security.stackexchange.com/questions/107542/is-it-common-practice-for-companies-to-mitm-https-traffic .

I have simple Dockerfile:

FROM alpine:latest
RUN apk --no-cache add curl

It fails badly with error with SSL errors

 => ERROR [2/2] RUN apk --no-cache add curl                                                                                                                                    1.0s
------
 > [2/2] RUN apk --no-cache add curl:
#5 0.265 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.647 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.649 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.649 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.938 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.940 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.941 ERROR: unable to select packages:
#5 0.942   curl (no such package):
#5 0.942     required by: world[curl]
------
executor failed running [/bin/sh -c apk --no-cache add curl]: exit code: 1

Every tutorial at Internet says that I can add own "trusted" root certificate and run update-ca-certificates.

But it can be added by "apt add" only. This situation seems to me as "chicken-egg" problem.

FROM alpine:latest
USER root
RUN apk --no-cache add ca-certificates \
  && update-ca-certificates

Error is similar

=> ERROR [2/2] RUN apk --no-cache add ca-certificates   && update-ca-certificates                                                                                             1.0s
------
 > [2/2] RUN apk --no-cache add ca-certificates   && update-ca-certificates:
#5 0.269 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.662 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.663 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.663 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.929 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.931 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.932 ERROR: unable to select packages:
#5 0.933   ca-certificates (no such package):
#5 0.933     required by: world[ca-certificates]
------
executor failed running [/bin/sh -c apk --no-cache add ca-certificates   && update-ca-certificates]: exit code: 1

Is there some other solution how to install update-ca-certificates tool? Or am I missing something?

Thx

See @kthompso answer for working solution.

Working solution (with update-ca-certificates commnad) based on @kthompso answer and info from unable to add certificates to alpine linux container

FROM alpine:latest

USER root

# To be able to download `ca-certificates` with `apk add` command
COPY my-root-ca.crt /root/my-root-ca.crt
RUN cat /root/my-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt

# Add again root CA with `update-ca-certificates` tool
RUN apk --no-cache add ca-certificates \
    && rm -rf /var/cache/apk/*
COPY my-root-ca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates

RUN apk --no-cache add curl

Edit: One solution I have in my mind is to use curl docker image with -k option and download .apk with those certificates and tools. Install it as local file. Add my root CA certificate and run update-ca-certificates. It sounds super crazy, so I think that have to be better solution :)

Upvotes: 92

Views: 203960

Answers (3)

geckoflume
geckoflume

Reputation: 425

Another option would be to install update-ca-certificates using the --no-check-certificate added in Alpine 3.18, then run update-ca-certificates to update /etc/ssl/certs/ca-certificates.crt:

RUN apk --no-cache add --no-check-certificate ca-certificates \
    && update-ca-certificates

See: https://stackoverflow.com/a/70455424/9875498

Upvotes: 0

Vivek Raj
Vivek Raj

Reputation: 519

Here is the example of alpine docker images.

FROM haproxy:2.9.4-alpine
ADD cacert.crt /usr/local/share/ca-certificates/cacert.crt
USER root
RUN apk update \
&& apk upgrade --available \
&& update-ca-certificates

Upvotes: 3

kthompso
kthompso

Reputation: 2442

Append your self-signed cert to /etc/ssl/certs/ca-certificates.crt manually.

Assuming you have the self-signed certificate in a file in your build directory called my-cert.pem:

FROM alpine:latest
  
COPY my-cert.pem /usr/local/share/ca-certificates/my-cert.crt

RUN cat /usr/local/share/ca-certificates/my-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
    apk --no-cache add \
        curl

Note: When you're using update-ca-certificates, you need to place your cert file into /usr/local/share/ca-certificates/ first. Otherwise it will be removed from /etc/ssl/certs/ca-certificates.crt the first time you run update-ca-certificates.

Upvotes: 134

Related Questions