1

Shell command not recognizing the variable

I am able to generate the content for the certificate but when I am trying to pass it on to a file in my container location, shell is not recognizing the variable holding the content of certificate

 RUN apk add ca-certificates
 RUN apk add --no-cache openssl
 RUN CERTS = $(echo -n | openssl s_client -connect keycloak.abc.domain.com:443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') && \
echo $CERTS >/usr/local/share/ca-certificates/mycert.crt && \
update-ca-certificates

The error says : Step 14/18 : RUN CERT = $(echo -n | openssl s_client -connect keycloakt.abc.domain.com:443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') && echo $CERT >/usr/local/share/ca-certificates/mycert.crt && update-ca-certificates

    ---> Running in 18e319cfa09b   

    depth=0 C = MX, ST = xx, L = xx, O = xx, OU = xx, CN = *.xx

    verify error:num=20:unable to get local issuer certificate

    verify return:1

    depth=xx C = xx, ST = xx, L = xx, O = xx, OU = xx, CN = *.xx

    verify error:num=21:unable to verify the first certificate

    verify return:1

    DONE

    **/bin/sh: CERT: not found**

    The command '/bin/sh -c CERT = $(echo -n | openssl s_client -connect 
    hostname:port -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END 
    CERTIFICATE-/p') &&     echo $CERT >/usr/local/share/ca- 
    certificates/mycert.crt &&     update-ca-certificates' returned a non- 
    zero code: 127

I tried "$CERT" > /usr/local/share/ca-certificates/mycert.crt as well. Also I tried copying the certificate from my local 

 #RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
 #COPY ./mycert.crt /usr/local/share/ca-certificates/mycert.crt

But with this I get : COPY failed: stat /var/lib/docker/tmp/docker-builder950940816/mycert.crt: no such file or directory

Is there another way to pass the value here? Can anyone point out what's wrong in either of the approaches?

Liza
  • 23
  • 4
  • If you will read the documentation on Dockerfiles (no, really, please do), you'll learn that the text following the `RUN` directive is passed to the default shell (or the shell overridden with `SHELL`). So the shell, which is `/bin/sh` in your case, tries to find and execute a program named `CERTS`, fails at that and tells you exactly that: `CERTS: not found`. Which is more puzzling is what that ` = =` mumbo-jumbo following `CERT` is all about? – kostix Jul 30 '19 at 16:09
  • After some squinting, it looks like whoever wrote the original encantation meant it to be `CERT=$(echo -n ...) && echo $CERTS ...`. That is, the shell should create a variable named "CERTS" and assign (`=`) to it what the pipeline inside `$(` and `)` outputs. – kostix Jul 30 '19 at 16:11
  • 1
    I highly recommend you to start with some basic tutorial on Unix shell scripting. – kostix Jul 30 '19 at 16:11
  • == was a typo, my bad. I would update the question. – Liza Jul 30 '19 at 19:06
  • 1
    Possible duplicate of [Why does a space in a variable assignment give an error in Bash?](https://stackoverflow.com/questions/41748466/why-does-a-space-in-a-variable-assignment-give-an-error-in-bash) – tripleee Jul 30 '19 at 19:15

2 Answers2

1

The variable assignment contains a syntax error. But there is no reason to capture the cert into a variable if you only want to write it to a file.

RUN openssl s_client -connect keycloak.abc.domain.com:443 -showcerts </dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') >/usr/local/share/ca-certificates/mycert.crt && \
    update-ca-certificates
tripleee
  • 175,061
  • 34
  • 275
  • 318
  • 1
    Two errors, actually; see also [When to wrap quotes around a shell variable?](https://stackoverflow.com/questions/10067266/when-to-wrap-quotes-around-a-shell-variable) – tripleee Jul 30 '19 at 19:25
0

This syntax worked for me :

  RUN CERT=$(echo -n | openssl s_client -connect keycloakt.abc.domain.com:443 - 
    showcerts </dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p') && \
    echo $CERT >/usr/local/share/ca-certificates/mycert.crt && \
    update-ca-certificates

Though I got a warning message and it did not serve the purpose of importing ca-certificate for my docker container:

[91ms_client: must not provide both -connect option and target parameter s_client: Use -help for summary. [0m[91mWARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping [0m[91mWARNING: ca-cert-mycert.pem does not contain exactly one certificate or CRL: skipping.

But this post question is resolved with @triplee suggestion. Thanks !

Liza
  • 23
  • 4
  • The missing quotes around `echo "$CERT"` will wreck the captured multi-line variable. I thought I told you already. – tripleee Jul 31 '19 at 04:21