How to disable SSL verification in alpine's apk?

Asked 22/12, 2021 at 8:7 Answered 1/8, 2023 at 6:36

Solved linux docker ssl alpine-linux alpine-package-keeper

Is there any way to disable SSL verification at installing some packages?

I found how to add my certificate in trusted certificates, but I'd rather do disable this checking.

I need it to avoid following error:

SSL routines:tls_process_server_certificate:certificate verify failed

Roseanneroseate answered 22/12, 2021 at 8:7 Comment(2)

What's the scenario here? Since you can get SSL certificates for free I don't think there're package repositories with self-signed certificates any more. Is it some local repository or something like that? – Denni 22/12, 2021 at 8:10

@ÁlvaroGonzález, I use VPN with self signed cetificates – Roseanneroseate 22/12, 2021 at 8:26

For Alpine 3.18 and onward, the option --no-check-certificate was added to apk add, so, your best bet is to follow @Chen A.'s answer.

Before Alpine 3.18, that introduced the flag --no-check-certificate in apk add; one way to achieve this was to use an http mirror of the packet repository rather than an https version of it, then you won't have any SSL verification.

So, you could, for example do:

apk add \
  --no-cache \
  --allow-untrusted \
  --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main \
  alpine-sdk

To find the right package repository for your version of Alpine, you have a look in the file /etc/apk/repositories.

Here is, for example, the content of the file for the Alpine 3.15 image:

https://dl-cdn.alpinelinux.org/alpine/v3.15/main
https://dl-cdn.alpinelinux.org/alpine/v3.15/community

Lempira answered 22/12, 2021 at 21:41 Comment(7)

It doesn't work so, because if we read description of the allow-untrusted switch it says: --allow-untrusted Install packages with untrusted signature or no signature It has no connection with SSL verification during package fetching – Consensual 12/4, 2022 at 16:12

And the issue in Apline repo is still opened – Consensual 12/4, 2022 at 16:17

Didn't work for me, because the fetch command gets redirected to https immediately. – Inchoate 21/6, 2023 at 12:51

That's a working solution for a virtualbox vm (reboot it) behind the intranet ca root, see also github.com/dotnet/dotnet-docker/issues/… – Foxy 28/2 at 11:25

The correct switch is --no-check-certificate, as indicated by the other answer by Chen A. – Evangel 11/3 at 11:26

@Evangel back when I answered this in 2021 the flag did not exists. Thanks for pointing out I will add a warning there – Riggs 13/3 at 20:1

@Evangel please also pay attention that --no-check-certificate wasn't back ported in all version of Alpine, so, for versions prior to 3.18, which added the flag, you are sadly still left with no other option than this ugly trick. – Riggs 13/3 at 21:41

There was an issue raised in the alpine project.
This was solved by adding a new flag, --no-check-certificate

Just add the flag to your update and add commands, e.g

RUN apk update --no-check-certificate \
    && apk add --no-check-certificate bash curl

Inkwell answered 1/8, 2023 at 6:36 Comment(1)

Ideally, in an Alpine image, one does not apk update && apk add ..., but we rather use the --no-cache flag. – Riggs 13/3 at 21:44

Recommended topics

Hot tags