I have a small python app inside an alpine linux container, here is the dockerfile:
FROM alpine
# basic flask environment
RUN apk add --no-cache bash git nginx uwsgi uwsgi-python py2-pip \
&& pip2 install --upgrade pip \
&& pip2 install flask
# application folder
ENV APP_DIR /app
ENV FLASK_APP app.py
# app dir
RUN mkdir ${APP_DIR} \
&& chown -R nginx:nginx ${APP_DIR} \
&& chmod 777 /run/ -R \
&& chmod 777 /root/ -R
VOLUME [${APP_DIR}]
WORKDIR ${APP_DIR}
# copy config files into filesystem
COPY nginx.conf /etc/nginx/nginx.conf
COPY app.ini /app.ini
COPY entrypoint.sh /entrypoint.sh
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./cert.pem /usr/local/share/ca-certificates/mycert.pem
COPY ./key.pem /usr/local/share/ca-certificates/mykey.pem
COPY ./ssl_password_file.pass /etc/keys/global.pass
RUN update-ca-certificates
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["/entrypoint.sh"]
This worked fine 2 weeks ago, but when i tried to rebuild it recently i got this error:
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping
so I checked those files, and found that for some reason, now the file ca-certificates.crt now has a chain of certificates. I found this on stack overflow:
/etc/ssl/certs/ca-certificates.crt is actually appending each individual cert from /usr/local/share/ca-certificates.
but what changed? why is this now a problem? So i tried reverting to an older version of alpine linux - same problem. I tried recreating the certificates, I tried removing a whole bunch of certificates from the container, I checked the pem files before the update to make sure they are only a single certificate, and apparently directly after running
RUN update-ca-certificates
many certificates appear. help ?
I think below worked for me (I was adding a root certificate on blackfire/blackfire image which extends from alpine):
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* \
mkdir /usr/local/share/ca-certificates/extra
COPY .docker/other/cert_Intertrials-CA.crt /usr/local/share/ca-certificates/extra
RUN update-ca-certificates
I then logged into that VM and see it has added it to the merged cert file, /etc/ssl/certs/ca-certificates.crt (I believe i heard it takes each cert file from inside /usr/local/share/ca-certificates and merges into the /etc/ssl/certs/ca-certificates.crt file).
Now you will get that 'does not contain exactly one certificate or CRL: skipping' error probably, but i heard that is fine.
https://github.com/gliderlabs/docker-alpine/issues/30 mentions: "that this is just a warning and shouldn't affect anything."
https://github.com/gliderlabs/docker-alpine/issues/52
mentions:
"The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself)."
"The warning shown is normal."
In my case, I had to execute the update-ca-certificates
before add any package. But it fails if the /etc/ssl/certs/
doesn't exists.
So, I add RUN mkdir -p /etc/ssl/certs/ && update-ca-certificates
on my Dockerfile before the RUN apk add ...
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With