'Docker Build using CA Trust Bundle from Host
Given a simple Dockerfile that installs from something from the net, I'm trying to work out an elegant way to allow the build process to trust HTTPS endpoints when the build is both behind a corporate proxy and when it is not. Ideally without making changes to the Dockerfile.
Dockerfile:
FROM alpine
RUN apk update -v; apk add -v curl
Error:
$ docker build .
Sending build context to Docker daemon 83.97kB
Step 1/2 : FROM alpine
---> e50c909a8df2
Step 2/2 : RUN apk update -v; apk add -v curl
---> Running in 983ed3885376
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: 2 errors; 14 distinct packages available
https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
curl (no such package):
required by: world[curl]
The command '/bin/sh -c apk update -v; apk add -v curl' returned a non-zero code: 1
The issue here is that my developer machine is on the corporate network behind a traffic-intercepting proxy that man-in-the-middles the connection meaning from apk's point of view inside the Docker build, it is seeing a cert which has been signed by our proxy that it doesn't trust.
Trust from the host machine is not an issue - when I wget the file requested in the build it works:
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
--2021-02-15 12:41:59-- https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
Connecting to 10.0.2.2:9000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 631235 (616K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’
When I run it on the build server it passes fine cause no forward proxy.
Is there a way to pass in the Ubuntu trust bundle which has the proxy CA's (e.g. /etc/ssl/certs/ca-certificates) to the build process without modifying the Dockerfile?
Thanks!
Solution 1:[1]
Create a file named repositories in your local docker build context directory with the following content:
http://dl-cdn.alpinelinux.org/alpine/v3.13/main
http://dl-cdn.alpinelinux.org/alpine/v3.13/community
In your docker build file, before RUN apk update, add the following line:
COPY repositories /etc/apk/repositories
Solution 2:[2]
FROM abdennour/alpine:3.14-ssl
RUN openssl x509 -inform der -in COMPANY.der -out /usr/local/share/ca-certificates/company-cert.crt && \
cat /usr/local/share/ca-certificates/company-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
update-ca-certificates
EXPLAINED!
Request the CA certificate from the team who purchased the SSL Certificates. Tell them provide me the certificate file "*.der"
Got it ? convert it to .cert file
RUN openssl x509 -inform der -in COMPANY.der -out /usr/local/share/ca-certificates/company-cert.crt && \
cat /usr/local/share/ca-certificates/company-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
update-ca-certificates
But this requires to have openssl ca-certificates packages in the image.
And because you can't install anything, then you can rely on alpine image which includes at least these two packages, like my base image:
FROM abdennour/alpine:3.14-ssl
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Ryan M |
| Solution 2 | Abdennour TOUMI |