unable to add certificates to alpine linux container

Asked 16/9, 2018 at 14:55 Answered 19/2 at 20:52

I have a small python app inside an alpine linux container, here is the dockerfile:

FROM alpine

# basic flask environment
RUN apk add --no-cache bash git nginx uwsgi uwsgi-python py2-pip \
    && pip2 install --upgrade pip \
    && pip2 install flask

# application folder
ENV APP_DIR /app
ENV FLASK_APP app.py

# app dir
RUN mkdir ${APP_DIR} \
    && chown -R nginx:nginx ${APP_DIR} \
    && chmod 777 /run/ -R \
    && chmod 777 /root/ -R
VOLUME [${APP_DIR}]
WORKDIR ${APP_DIR}

# copy config files into filesystem
COPY nginx.conf /etc/nginx/nginx.conf
COPY app.ini /app.ini
COPY entrypoint.sh /entrypoint.sh

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./cert.pem /usr/local/share/ca-certificates/mycert.pem
COPY ./key.pem /usr/local/share/ca-certificates/mykey.pem
COPY ./ssl_password_file.pass /etc/keys/global.pass
RUN update-ca-certificates

COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["/entrypoint.sh"]

This worked fine 2 weeks ago, but when i tried to rebuild it recently i got this error:

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping

so I checked those files, and found that for some reason, now the file ca-certificates.crt now has a chain of certificates. I found this on stack overflow:

/etc/ssl/certs/ca-certificates.crt is actually appending each individual cert from /usr/local/share/ca-certificates.

but what changed? why is this now a problem? So i tried reverting to an older version of alpine linux - same problem. I tried recreating the certificates, I tried removing a whole bunch of certificates from the container, I checked the pem files before the update to make sure they are only a single certificate, and apparently directly after running

RUN update-ca-certificates

many certificates appear. help ?

Charlot answered 16/9, 2018 at 14:55 Comment(0)

I think below worked for me (I was adding a root certificate on blackfire/blackfire image which extends from alpine):

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* \
  mkdir /usr/local/share/ca-certificates/extra
COPY .docker/other/cert_Intertrials-CA.crt /usr/local/share/ca-certificates/extra
RUN update-ca-certificates

I then logged into that VM and see it has added it to the merged cert file, /etc/ssl/certs/ca-certificates.crt (I believe i heard it takes each cert file from inside /usr/local/share/ca-certificates and merges into the /etc/ssl/certs/ca-certificates.crt file).

Now you will get that 'does not contain exactly one certificate or CRL: skipping' error probably, but i heard that is fine.

https://github.com/gliderlabs/docker-alpine/issues/30 mentions: "that this is just a warning and shouldn't affect anything."

https://github.com/gliderlabs/docker-alpine/issues/52 mentions: "The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself)."
"The warning shown is normal."

Nickelson answered 8/1, 2019 at 22:55 Comment(6)

This does not work in alpine linux according to my experience. As stated here, you must not put your custom cert files in a sub-directory of /usr/local/share/ca-certificates. – Loath 12/1, 2021 at 8:20

Not sure, worked for me and got 12 upvotes so far. Maybe people are just slightly modifying my COPY step (by removing extra/) to: COPY .docker/other/YOURCERT.crt /usr/local/share/ca-certificates/ – Nickelson 13/1, 2021 at 17:39

I can confirm (for me) that, on current alpine, certificate have to be added to /usr/local/share/ca-certificates not to /usr/local/share/ca-certificates/extra directory. – Slone 26/4, 2021 at 6:37

It seems it depends on the version of your distribution. Using doptopenjdk/openjdk11:alpine-jre now, its mandatory. I´ve used anapsix/alpine-java:8u192b12_server-jre before and it was enough to copy the cert to /usr/local/share/ca-certificates/ – Splitlevel 27/4, 2021 at 9:2

it's not just a warning for Alpine 3.13, this doesn't work – Ukase 25/5, 2021 at 5:23

@Ukase It works in alpine 3.11, but broke in 3.12. – Ezequieleziechiele 1/9, 2021 at 22:5

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping

OP mentioned two warnings, which includes the pem file to be added. Only the first warning can be ignored. The second warning is caused by the pem file containing more than one certificate, which is entirely valid but handled poorly by update-ca-certificates.

Instead, you can append the cert file's contents directly:

cat ca-cert-mykey.pem.pem >> /etc/ssl/certs/ca-certificates.crt

Another use case for CI config:

echo "$ADDITIONAL_CA_CERT_BUNDLE" >> /etc/ssl/certs/ca-certificates.crt

Microfiche answered 20/11, 2021 at 19:59 Comment(1)

Getting bash: /etc/ssl/certs/ca-certificates.crt: Permission denied when running sudo cat .. – Supporting 20/6 at 11:1

In my case, I had to execute the update-ca-certificates before add any package. But it fails if the /etc/ssl/certs/ doesn't exists.

So, I add RUN mkdir -p /etc/ssl/certs/ && update-ca-certificates on my Dockerfile before the RUN apk add ....

Tyishatyke answered 27/8, 2021 at 15:19 Comment(0)

A little off topic because OP asked help for alpine, and I was using node:16 as base image in my dockerfile, but I would like to share my case just as a precedent. I was installing my RootCA properly, but beyond the "normal" warning my container was not taking the new certificate even when it was indexed in /etc/ssl/certs/ca-certificates.crt.

I was struggling since 3 hours ago with this no-sense bug; so, I just moved to node:18-bullseye (or greater) and then the certificate installed properly.

Onyx answered 12/11, 2022 at 3:27 Comment(0)

That’s how it works for me

ADD .docker/cert/root2022.cer /usr/local/share/ca-certificates/root2022.cer
RUN openssl x509 -inform PEM -in /usr/local/share/ca-certificates/root2022.cer -out /usr/local/share/ca-certificates/certificate.crt
RUN chmod 644 /usr/local/share/ca-certificates/certificate.crt && update-ca-certificates

Blastosphere answered 21/9, 2022 at 11:31 Comment(0)

Even after adding the self-signed certs to /etc/ssl/certs/ca-certificates.crt, the @azure/openai library still refused to use them.

I had to add: ENV NODE_EXTRA_CA_CERTS=/usr/src/certs/cacert.pem to my Dockerfile to create the NODE_EXTRA_CA_CERTS env var.

Milldam answered 19/2 at 20:52 Comment(0)

Recommended topics

Hot tags