7

While building a docker container, I came across this error

Step 6/17 : RUN bower install --allow-root ---> Running in 20f9229dcd1e bower angular-touch#~1.5.0 CERT_HAS_EXPIRED Request to https://registry.bower.io/packages/angular-touch failed: certificate has expired

Building this image was working fine for about 2 years, then suddenly refused to cooperate. How can I refresh a missing certificate?

Troom
  • 431
  • 6
  • 10

7 Answers7

12

In my case i just add two lines into .bowerrc file

"strict-ssl": false,
"https-proxy": "",

This is workaround, and it's bad practice. But using bower and outdated plugins is also bad practice

Troom
  • 431
  • 6
  • 10
  • Didn't fix the issue for me. Why is this happening today I wonder. Another weird thing is that the issue only happens inside of Docker. Any ideas? – theschmitzer Apr 24 '23 at 23:36
  • 3
    Doesn't require the https-proxy, just the strict-ssl (Node8 in a docker image) – J D May 08 '23 at 03:23
  • From my experience, this works only when you start with a clean bower cache. – tromgy May 10 '23 at 11:45
8

You are probably all using a "very old" build stack based on older node docker images, which use older Debian distribution for its base image (i.e. node:6 => Debian Stretch).

It seems that the letsencrypt certificate of registry.bower.io was updated on 24th April, 2023 and since then uses a more modern intermediate certificate. This was not available/known in older Debian distributions on which the original node images were based.

Of course its about time to upgrade your stack, but in the meanwhile you could use these workarounds.

Add this to your Dockerfile, just before you are doing the bower install as a workaround:

If using node:6 / Debian Strech

# manually remove expired letsencrypt X3 certificate and install the new ISRG X1 root CA 
RUN mkdir -p /usr/share/ca-certificates/letsencrypt/ \
  && cd /usr/share/ca-certificates/letsencrypt/ \
  && curl -kLO https://letsencrypt.org/certs/isrgrootx1.pem \
  && perl -i.bak -pe 's/^(mozilla\/DST_Root_CA_X3.crt)/!$1/g' /etc/ca-certificates.conf \
  && update-ca-certificates

Then use this flag to tell bower to use the system wide CA system:

RUN NODE_OPTIONS=--use-openssl-ca bower install ...

If using node:4 / Debian Jessie

Not possible to get this ancient npm to use openssl-ca's, so just disable SSL check in the case:

RUN <<EOR
cat <<EOF > .bowerrc
{
  "registry": "https://registry.bower.io",
  "strict-ssl": false,
  "https-proxy": "" 
}
EOF
EOR
Ernesto Baschny
  • 436
  • 3
  • 5
  • `RUN cd /` does nothing. https://stackoverflow.com/questions/58847410/difference-between-run-cd-and-workdir-in-dockerfile More correct steps: `RUN mkdir -p /usr/share/ca-certificates/letsencrypt/` `WORKDIR /usr/share/ca-certificates/letsencrypt` `RUN curl -kLO https://letsencrypt.org/certs/isrgrootx1.pem \ && perl -i.bak -pe 's/^(mozilla\/DST_Root_CA_X3.crt)/!$1/g' /etc/ca-certificates.conf \ && update-ca-certificates` – Andrey Fedosenko Apr 27 '23 at 11:15
  • I do not understand your comment @AndreyFedosenko. There is no `RUN cd /` in my response – Ernesto Baschny May 02 '23 at 10:04
  • just checked, it looks like your solution works without modifications. I probably made a mistake somewhere. I apologize @ernesto-baschny – Andrey Fedosenko May 03 '23 at 16:50
3

Point to newer registry in .bowerrc

Answered here

{
 "directory": "bower_components",
 "registry": "https://bower.herokuapp.com"
}
Jason
  • 206
  • 2
  • 8
2

I am getting these error since yesterday. I solved it like following: if you have your dependencies in bower.json like that:

 "dependencies": {
    "bootstrap-sass": "3.2.0",
    "jquery": "2.2.0",
...
}

then change it to:

"dependencies": {
    "bootstrap-sass": "https://github.com/twbs/bootstrap-sass.git#3.2.0",
    "jquery": "https://github.com/jquery/jquery.git#2.2.0",
...
}

with your specified version and git url. You will find the git url of all bower packages here: https://registry.bower.io/packages

Apophis
  • 273
  • 1
  • 9
  • From my experience this works only when you don't have "deeper" bower dependencies, that is it will only work for the packages directly listed, but not their dependencies. – tromgy May 10 '23 at 11:47
1

bower install still works for newer versions of node. From what I noticed, the certificate stopped working for the version 6, 7 and 8.

As a workaround: only bower install command I execute on the newer node (for example 12), and the rest of the commands for building the project I execute on the version I need.

It worked in our project.

DonVitoMarco
  • 11
  • 1
0

Updating the node version from 8 to 18 fixed the error for me.

vmayorow
  • 630
  • 5
  • 15
0

Not sure if it is right, but the steps below worked for us:

1 - Remove the old cert:

sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf

2 - Update certs:

update-ca-certificates

3 - Disable SSL temporarily: add "strict-ssl": false to .bowerrc file.

4 - Add bower cache-clean before bower install command in your steps.

5 - Include the flag --use-openssl-ca to bower install command.

6 - Run your build, it should work this time.

7 - Back and enable the SSL: remove the "strict-ssl": false from .bowerrc file.

8 - The next builds should work with SSL and without the certificate problem.

Arrow Root
  • 13
  • 6