4

Recently, my legacy Docker image stopped building because certain files refuse to download while building the image even though they download fine on my host system (and worked fine in the build before). This Dockerfile reproduces the problem:

FROM ubuntu:14.04

RUN apt-get update
RUN apt-get install -y ca-certificates
RUN update-ca-certificates
RUN apt-get update
RUN apt-get -y upgrade

#RUN apt-get install -y curl
#RUN curl -O https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/SphinxSearch/+archive/refs/heads/REL1_24.tar.gz

RUN apt-get install -y wget
RUN wget https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/SphinxSearch/+archive/refs/heads/REL1_24.tar.gz

Then, attempt to build the above Dockerfile with docker build .

When the wget approach (bottom) is used, I get the error:

ERROR: cannot verify gerrit.wikimedia.org's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3':
  Issued certificate has expired.

When I use the curl approach (top, commented out currently), I get the error:

curl: (60) SSL certificate problem: certificate has expired

I could bypass these issues by instructing wget and/or curl to ignore certificates, but I would prefer not to expose that security hole if at all possible to avoid. The top section is me flailing around trying to make sure the system's CA certificates are all up to date, but apparently what I'm doing isn't effective.

Ben
  • 1,272
  • 13
  • 28

2 Answers2

3

There are couple of ways I would do this without upgrading:

  1. Before you try this make sure your ca-certificates.conf is in /etc/ca-certificates.conf. In my Ubuntu 16.04 the ca-certificates.conf is in /etc/.

Add the next line BEFORE your "RUN update-ca-certificates" line.

For this to work, you MUST keep "RUN update-ca-certificates" line.

RUN sed '/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf > /tmp/cacerts.conf && mv /tmp/cacerts.conf /etc/ca-certificates.conf
RUN update-ca-certificates

This will remove the DST_Root_CA_X3.crt that expired on Sep 30 14:01:15 2021 GMT, assuming the expired DST Root CA certificate is the cause of your issue.

  1. I would troubleshoot this manually as per this detailed guide: https://stackoverflow.com/a/69411107/1549092

If in your case step (1) doesn't work and that's not the issue, I would follow the guide in step (2) to identify the root cause of your issue. There could be another Root CA cert that has expired at different time.

NOTE: I can't be 100% sure what the root cause is in your case, unless you share that ca-cert bundle so I can test it. Or you can do it following step (2) above.

GTodorov
  • 1,993
  • 21
  • 24
  • Thanks for the answer, but (1) doesn't seem to resolve the issue when added just before line 5 in the Dockerfile in the question. Nor does manually running `sudo dpkg-reconfigure ca-certificates` per (2) in a Docker container using the ubuntu:14.04 image. The ca-cert bundle should be readily accessible by any Docker user; for instance with `docker container run ubuntu:14.04 cat /etc/ssl/certs/ca-certificates.crt`. – Ben Oct 04 '21 at 19:06
  • 2
    Removing the line does not really work. I had to run `sed -i 's/\(.*DST_Root_CA_X3.crt\)/!\1/' /etc/ca-certificates.conf` to disable the certificate and only then `update-ca-certificates` removed it. – Mitar Oct 21 '21 at 22:50
  • 1
    @Mitar: That was it! This solves the letsencrypt/certbot certificate problem due to the DST_Root_CA_X3.crt expiry. Cool! (Totally Docker unrelated, but the same problem and the same solution.) – Johannes Overmann Nov 05 '21 at 11:51
1

Meta: it's not clear this is a programming or development issue; you've already gotten close voters who think it isn't.

library/ubuntu:14.04 already contains ca-certificates 20170717~14.04.2 which is the last update issued for Trusty, so no, trying to update it doesn't help. That version DOES contain the ISRG root cert.

However, when accessing a host that uses the LetsEncrypt 'compatibility' chain from software based on OpenSSL, as both curl and wget in Ubuntu14.04 are, you not only need the ISRG root in the truststore but you also need either a recent version of OpenSSL code (at least 1.1.x and I believe specifically 1.1.1(I was wrong about the latter)) OR you need the now-obsolete DST root removed.

You could download a near-current OpenSSL (3.0.0 was just released and you don't want to mess with that) and build it yourself, then download curl and/or wget and build it/them to use that new OpenSSL. That's a good deal of work.

https://serverfault.com/questions/1079199/client-on-debian-9-erroneously-reports-expired-certificate-for-letsencrypt-issue has ways to remove DST root for Debian, which also applies to Ubuntu, and the sed method works for me in a docker build.

Alternatively, if you only need one file that doesn't change (and I'm guessing REL with a number shouldn't), why not just download on the host (where you apparently have modern code running) and copy into the container (or mount, if you care about the space)?

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • This answer allows the reader to eventually discover the succinct answer. I would post that succinct answer, but StackOverflow overseers have decided that programatically producing a system with a Dockerfile is not programming, nor is Docker a software tool commonly used by programmers, nor is a Dockerfile source code. https://stackoverflow.com/help/on-topic – Ben Oct 04 '21 at 19:19