Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force update the image certificates bundle during build #2057

Open
ribeirobreno opened this issue Apr 1, 2024 · 1 comment
Open

Force update the image certificates bundle during build #2057

ribeirobreno opened this issue Apr 1, 2024 · 1 comment

Comments

@ribeirobreno
Copy link

Environment

  • Platform: Linux
  • Docker Version: 25.0.3
  • Node.js Version: 20.12.0
  • Image Tag: 20-alpine

This issue can happen in any docker image.

Expected Behavior

Any request to a valid https url with a valid certificate should return with no SSL/TLS issues.

Current Behavior

Requesting any website with a recently updated https certificate and issued from a recently updated root CA will fail.

Possible Solution

Include the appropriate command to update the certificates in the Dockerfiles.
E.g.: apk add --upgrade --no-cache ca-certificates-bundle for the Alpine images.

Running this command in the latest node:20-alpine image as root will yield:

fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/1) Upgrading ca-certificates-bundle (20230506-r0 -> 20240226-r0)
OK: 10 MiB in 17 packages

This is my current workaround for this issue, it would be awesome to have this baked in the official images.

Steps to Reproduce

  • Given this command: docker run --rm -it node:20-alpine node -e 'const https=require("node:https");https.get("{URL}",(r)=>console.log(r.statusCode)).on("error",(e)=>console.error(e)) ;'
  • Replace {URL} with a website where the certificate was issued recently and the root for it is in the newly updated bundle but not in the previous bundle.
  • Run the command

Additional Information

  • Updating the base image might also give the desired result but is not as good as actually updating the certificates.
  • Sadly, I can't share the actual URL where I've caught this issue and couldn't find another one to better illustrate the test case. What I can say is that it is using a Goddady issued certificate that was issued yesterday (2024-03-31).
@LaurentGoderre
Copy link
Member

Doing this still isn't something that would work in every scenario because the certs would be up to date for the build time of the image. This would be better achieved via a custom entrypoint script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ribeirobreno @LaurentGoderre