-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impossible to add new CA file #52
Comments
I can confirm this using Docker image |
The error is valid and is telling you the problem, the CA is not one certificate. You need to explicitly trust everything in the chain. If you trust the entire chain, can you try breaking the certs up in to two files (one cert in each file)? |
@andyshinn I'm not sure I understand how to fix it. What are you suggesting? |
The file that is being added contains two certificates. It needs to be one certificate per file. If you have the same error, try looking at the file being added to see if it is two certificates. If it is, break them up in to two separate files and try adding both those files instead of one. |
Just confirming that the issue is in place and repeatable simply by running the following Dockerfile... edit actually upon looking at it, looks like this might be a different issue haha. Specifically it looks like I am still seeing the behavior in #30
|
What is the problem with that |
Same here with |
Closing until someone can give me a better way to reproduce. The warning shown is normal. CA certificate files can only have one certificate in them. |
I was experiencing this issue on a repo we have. My fix was to add: mkdir -p /etc/ssl/certs/ && update-ca-certificates --fresh And it solved. |
Its just a warning, the certificates are correctly added, explanation: 'update-ca-certificates' generates a file called 'ca-certificates.crt' with all certs inside. In this particular distro somehow it tries to add ca-certificates.crt into itself but since it has more than one cert it can't... thus showing the warning. |
i temporary solved issue with |
Having a warning like that for such a sensitive operation is a bad thing. This is an error message bug and should be re-opened as such. |
@andyshinn you should reopen this issue, since this error is not present in other distributions. Minimal (not) working example:
FROM alpine:3.8
RUN apk add --update --no-cache \
ca-certificates \
openssl
WORKDIR /app
# generate CA key
RUN openssl genrsa \
-out ca.key \
2048
# generate CA root cert
COPY ./ca.conf ./ca.conf
RUN openssl req \
-x509 \
-new \
-days 3650 \
-nodes \
-sha256 \
-batch \
-config ca.conf \
-key ca.key \
-out ca.crt \
&& mkdir -p /usr/local/share/ca-certificates/acme \
&& cp ca.crt /usr/local/share/ca-certificates/acme/acme.crt \
&& update-ca-certificates
# inspect generated CA root cert
RUN openssl x509 -noout -text -in ca.crt
The error you get during build of the image is:
When you change to |
@srigi @andyshinn I'm having the same exact problem. "Cannot copy to bundle" when mounting a folder in ca-certificates which contains a single certificate file which contains only a single certificate. |
Does this problem solved? |
I have the same problem :( |
Problem is still present even in latest |
For me it works when I put the certificate directly in |
I finaly found a solution, it's pretty nasty and i spend three hours trying to understand what was going on. TLDR; For some reason (that may or may not be legit, i don't know enought about alpine) The certificates are stored in two god damn locations:
On the other hand curl use the well known /etc/ssl/certs/ca-certificates.crt file... Hope it can help some of you PS: i've done my testing using this alpine based docker image. |
Please reopen this issue. The issue is definitely there. How can you close this without even verifying? |
FYI, this is working for me on alpine:3.12:
Apparently, you can't have your own certs in a different directory or sub-directory according to this article. Good luck! |
Hey, I just ended up here trying to fix Also, RUN update-ca-certificates \
&& rm /etc/ssl/cert.pem \
&& ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem |
Hi all,
with the last version of docker image, it's impossible to add a new CA file.
Have fun,
Thanks.
PS: Related to closed issue : #30
The text was updated successfully, but these errors were encountered: