-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update-ca-certificates fails #30
Comments
That isn't necessarily a failure. It is just saying "the ca-certificates.crt file has multiple certificates so we are not considering it to be symlinked". What is the actual problem here? Do you have an example I can try to reproduce? |
sure, CiscoCloud/nginx-consul (currently on the Docker registry as asteris/nginx-consul.) If you mount a directory with CA certs in the place mentioned in the README and run |
Do you have an example CA PEM or a command I can use to generate one? I'll see if I can reproduce. To clarify: the CA is not getting added to the |
correct. I don't have one, but you can get one by running the security-setup script in CiscoCloud/microservices-infrastructure. |
Indeed, looks like an upstream bug. The line at https://github.com/alpinelinux/aports/blob/master/main/ca-certificates/update-ca-certificates#L50 should be |
Great, thank you! |
Patch submitted: http://patchwork.alpinelinux.org/patch/104/. |
Merged in alpinelinux/aports@3faf2e0. New package pushed to edge. Give it a try and let me know if we can close this. |
This fix should also be in Alpine 3.2 as well. We just pushed a new 3.2 tag. Reopen if still an issue. |
This looks to be an issue in
|
What specifically is the issue? |
On second inspection, I don't think |
The warning is just a warning. It doesn't affect anything. |
The message says that something is skipped. It makes an impression that user get incomplete set of root certificates. Could you, please, rephrase, remove or fix this message, so people are not getting confused about the message? |
This should be brought up on http://bugs.alpinelinux.org/projects/alpine/issues. It comes from the utility in the |
+1 |
@adolphlwq, your "+1" comment doesn't really give us any new information. If you're experiencing the same issue, have none of the above comments helped? As @andyshinn noted two full moons ago, this issue doesn't really belong here. |
@andyshinn mentioned that this is just a warning and shouldn't affect anything. However, |
What about this guys: FROM alpine:3.7
RUN apk update \
&& apk upgrade \
&& apk add --no-cache \
ca-certificates \
&& update-ca-certificates 2>/dev/null || true |
I think it's great for a workaround, but the command shouldn't exit 1 on a warning. Or we should be able to ignore warnings. I have implemented this workaround in my Dockerfile, but I don't think I can really assume that everything is fine certificate wise anymore. |
|
Just don't use Alpine & Docker. Nobody cares if you shave 100 MB off an image. 2 hours of your work is a terabyte disk. |
Message is misleading, but it's only a warning. It doesn't mean it failed to run In case you have access to ARG CA_BUNDLE_SOURCE=https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
ARG CA_BUNDLE_DESTINATION=/usr/local/share/ca-certificates/rds-combined-ca-bundle.pem
ADD $CA_BUNDLE_SOURCE $CA_BUNDLE_DESTINATION
RUN update-ca-certificates
RUN python -c "x=open('$CA_BUNDLE_DESTINATION').read(); y=open('/etc/ssl/certs/ca-certificates.crt').read(); exit(0) if x in y else exit(-1)" Above python trick comes from https://unix.stackexchange.com/a/114882/63222 and was adapted to fail if file doesn't contain other file. There are probably much better ways out there. At this point, it's probably easier to append the bundle directly to ARG CA_BUNDLE_SOURCE=https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
ARG CA_BUNDLE_DESTINATION=/usr/local/share/ca-certificates/rds-combined-ca-bundle.pem
ADD $CA_BUNDLE_SOURCE $CA_BUNDLE_DESTINATION
RUN cat $CA_BUNDLE_DESTINATION >> /etc/ssl/certs/ca-certificates.crt |
I have looked into this a bit closer. The reason for this warning is the When Source: https://git.alpinelinux.org/ca-certificates/ I suggest to close this issue. |
It may be a warning, but why does the message include |
Because the file mentioned contains more than one certificate and thus can't be hashed. This is output from |
The issue still persists. I get the warning both for a cert and the store file: Reproduce:
|
@franz-josef-kaiser that is another issue, your cert
The warning about the bundle is really just a warning though. It's because
|
@rustyx Thanks for clarifying that (and submitting the PR to Alpine@GitLab)
|
Still a problem, wow. |
A problem. |
From Home Assistant core-2021.8.8 bash-5.1# update-ca-certificates |
The following warning is not an error. It's just how the command works: It checks all certs, including the main file, which contains more than one file. The error message just could be improved:
|
It's much better if it outputs the result as normal linux, then we know the cert has been added, so it's just a warning. At first glance at this warning and no other outputs, I thought it did not add the cert.
|
haha. oh my. still an issue all these years later. |
@vitruvvius What have you contributed to fixing the issue? |
First-time poster! Please excuse any informal etiquette. I spent 2-hours troubleshooting a similar issue in Ubuntu, but was able to come up with a solution (my thought is maybe my findings could be helpful for others). Firstly, I started from scratch:
Important:
After running the update, the certificate was available. |
Hi! This is not Alpine, but I figured out my certificates files was using UTF-8 BOM and saved without BOM and certificates was included without warnings. FROM node:14
COPY CPTTRootCertificateAuthority.crt /usr/local/share/ca-certificates/
COPY CPTTIntermediateCertificate.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates Maybe this comment is not useful, but works for me. |
For what it's worth, the exit code for this warning now appears to be 0, fortunately: bash-5.1# update-ca-certificates --fresh
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
bash-5.1# echo $?
0 |
I see this "warning" So in my case it does seem the addition to the trust store was indeed skipped as well. |
It seems the container recognizes my CA (docker:dind - which is alpine basically), and running Fixed:
The runner tries to be smart and if |
@rwjack I have the same issue in GitLab CI - only I'm not mounting it with Runner config, but tried installing during a job directly inside a docker-dind image:
Did you found a workaround, apart from creating your own dind image with injected CA's certs? |
@Acerinth I'm not sure honestly, though I managed to evade that warning somehow. I still mount the CA in the gitlab-runner
|
Does anyone have a script that splits a single .pem file with multiple certificates in it into individual files? I am encountering this "warning" again and would like all the certificates in my file to actually be imported and trusted. |
Also, I am sorry. I think this is the wrong repo to report this issue. I think skipping certs in a file should be an error, not a warning. (whether they are actually skipped or not is up for debate in this thread, but in some cases the warning about skipping actually does mean they are skipped and not added to the trust store) |
When run under Docker,
update-ca-certificates
(from the packageca-certificates
) fails with the line . All the information I can find seems to suggest it's a locale issue but the system profile seems to have the correct information. Any ideas?The failure:
The text was updated successfully, but these errors were encountered: