Impossible to add new CA file

[Ducatel]

Hi all,
with the last version of docker image, it's impossible to add a new CA file.

apk update && apk install curl ca-certificates \
&& curl https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem -o /usr/local/share/ca-certificates/GandiStandardSSLCA2.crt \
&& update-ca-certificates
/#  WARNING: ca-cert-GandiStandardSSLCA2.pem does not contain exactly one certificate or CRL: skipping

Have fun,
Thanks.

PS: Related to closed issue : #30

[sirlatrom]

I can confirm this using Docker image alpine:3.2. Also the case with alpine:edge.

[andyshinn]

The error is valid and is telling you the problem, the CA is not one certificate. You need to explicitly trust everything in the chain. If you trust the entire chain, can you try breaking the certs up in to two files (one cert in each file)?

[micahlmartin]

@andyshinn I'm not sure I understand how to fix it. What are you suggesting?

[andyshinn]

The file that is being added contains two certificates. It needs to be one certificate per file. If you have the same error, try looking at the file being added to see if it is two certificates. If it is, break them up in to two separate files and try adding both those files instead of one.

[rschmukler]

Just confirming that the issue is in place and repeatable simply by running the following Dockerfile...

edit actually upon looking at it, looks like this might be a different issue haha. Specifically it looks like I am still seeing the behavior in #30

FROM alpine:3.2
RUN apk add --update ca-certificates && \
    rm -rf /var/cache/apk/* /tmp/*

RUN update-ca-certificates

[andyshinn]

What is the problem with that Dockerfile? It works as expected for me. The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself).

[cusspvz]

Same here with alpine:edge

[andyshinn]

Closing until someone can give me a better way to reproduce. The warning shown is normal. CA certificate files can only have one certificate in them.

[cusspvz]

I was experiencing this issue on a repo we have. My fix was to add:

mkdir -p /etc/ssl/certs/ && update-ca-certificates --fresh

And it solved.

[enbits]

Its just a warning, the certificates are correctly added, explanation:

'update-ca-certificates' generates a file called 'ca-certificates.crt' with all certs inside. In this particular distro somehow it tries to add ca-certificates.crt into itself but since it has more than one cert it can't... thus showing the warning.

[dcrystalj]

i temporary solved issue with git config --global http.sslverify "false" for all git clone errors.

[CharlieReitzel]

Having a warning like that for such a sensitive operation is a bad thing. This is an error message bug and should be re-opened as such.

[srigi]

@andyshinn you should reopen this issue, since this error is not present in other distributions. Minimal (not) working example:

Dockerfile

FROM alpine:3.8

RUN apk add --update --no-cache \
		ca-certificates \
		openssl

WORKDIR /app

# generate CA key
RUN openssl genrsa \
		-out ca.key \
		2048

# generate CA root cert
COPY ./ca.conf ./ca.conf
RUN openssl req \
		-x509 \
		-new \
		-days 3650 \
		-nodes \
		-sha256 \
		-batch \
		-config ca.conf \
		-key ca.key \
		-out ca.crt \
	&& mkdir -p /usr/local/share/ca-certificates/acme \
	&& cp ca.crt /usr/local/share/ca-certificates/acme/acme.crt \
	&& update-ca-certificates

# inspect generated CA root cert
RUN openssl x509 -noout -text -in ca.crt

ca.conf

[req]
distinguished_name  = subject
string_mask         = utf8only

[subject]
countryName                 = Country Name (2 letter code)
countryName_default         = CZ
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Czechia
localityName                = Locality Name (eg, city)
localityName_default        = Prague
organizationName            = Organization Name (eg, company)
organizationName_default    = Acme
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = acme.com
emailAddress                = Email Address
emailAddress_default        = john.doe@acme.com

The error you get during build of the image is:

Warning! Cannot copy to bundle: /usr/local/share/ca-certificates/acme
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-acme.pem does not contain exactly one certificate or CRL: skipping

When you change to FROM debian and install ca-certificates & openssl via apt, error disappears and everything is OK. Please note different content of /etc/ssl/certs between two. In case of alpine our certificate is not symlinked correctly.

[jonahbron]

@srigi @andyshinn I'm having the same exact problem. "Cannot copy to bundle" when mounting a folder in ca-certificates which contains a single certificate file which contains only a single certificate.

[liuliqiang]

Does this problem solved?

[msaeedm]

I have the same problem :(

[srigi]

Problem is still present even in latest alpine:3.10.
Problem is not present in debian:stable.

[boyeln]

For me it works when I put the certificate directly in /usr/local/share/ca-certificates (no sub directory), as suggested here.

[anthonyraymond]

I finaly found a solution, it's pretty nasty and i spend three hours trying to understand what was going on.

TLDR;
cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem

For some reason (that may or may not be legit, i don't know enought about alpine) The certificates are stored in two god damn locations:

• /etc/ssl/certs/ca-certificates.crt the file updated by the update-ca-certificates command (the warning is not relevant)
• /etc/ssl/cert.pem the file updated by god knows what !

wget and some other tools seems to use the /etc/ssl/cert.pem file as his trusted store....

On the other hand curl use the well known /etc/ssl/certs/ca-certificates.crt file...

Hope it can help some of you

PS: i've done my testing using this alpine based docker image.

[msaurabhee]

Please reopen this issue. The issue is definitely there. How can you close this without even verifying?

[VojtechVitek]

FYI, this is working for me on alpine:3.12:

FROM alpine:3.12

RUN apk add --no-cache --update ca-certificates
COPY my-own-custom-ca-certificates/*.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Apparently, you can't have your own certs in a different directory or sub-directory according to this article.

Good luck!

[nicocti]

Hey, I just ended up here trying to fix Warning! Cannot copy to bundle: /usr/local/share/ca-certificates/acme which was not the original purpose of the issue discussed here. For those in my position, alpine does not allow to add custom certificates as subdirectories in /usr/local/share/ca-certificates/xxx but requires to be added directly in /usr/local/share/ca-certificates.

Also, busywork uses a custom certificates bundle (or at least used to) so you'll need to replace it with alpine's if you want to use wget for instance, like so:

RUN update-ca-certificates \
    && rm /etc/ssl/cert.pem \
    && ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem