- HTTPS in Alpine linux
- How to add trusted root ca to docker alpine?
- Method 1: Add CA certificate to the Docker image
- Method 2: Use environment variables to add CA certificate at runtime
- Method 3: Mount a volume with the CA certificate at runtime
- How to add trusted root CA to Docker alpine
- Saved searches
- Use saved searches to filter your results more quickly
- How to add CA root certification (self-signed) #260
- How to add CA root certification (self-signed) #260
- Comments
HTTPS in Alpine linux
Alpine Linux is a great Linux system (well, I am liking it more and more). It is minimal, very simple to use and learn, and in my experience, just works in ways that are important to me.
However, the trade-off for minimal is needing to add what you want to use.
An example of this is proper support for HTTPS/SSL with wget (or curl, etc), see here:
ᐅ docker run -it alpine /bin/sh / # wget -q https://github.com wget: can't execute 'ssl_helper': No such file or directory wget: error getting response: Connection reset by peer
Yes.. you could use wget —no-check-certificate (or —insecure with curl ), but we’re more diligent than that.
Fortunately, this is easy to resolve. While many linux systems ship with packages like ca-certificates and openssl , Alpine doesn’t, so you need to add either one of those two.
ᐅ docker run -it alpine /bin/sh / # apk add --update ca-certificates wget fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz (1/2) Installing ca-certificates (20161130-r0) (2/2) Installing wget (1.18-r0) Executing busybox-1.24.2-r12.trigger Executing ca-certificates-20161130-r0.trigger OK: 6 MiB in 13 packages
HTTPS should now work just fine:
Note that installing ca-certificates (without including wget ) won’t work:
ᐅ docker run -it alpine /bin/sh / # apk add --update ca-certificates fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz (1/1) Installing ca-certificates (20161130-r0) Executing busybox-1.24.2-r12.trigger Executing ca-certificates-20161130-r0.trigger OK: 6 MiB in 13 packages / # / # wget -q https://github.com wget: can't execute 'ssl_helper': No such file or directory wget: error getting response: Connection reset by peer
I’m still relatively new to Alpine, and otherwise not sure why (re)installing wget is needed here.
Interestingly, installing openssl will avoid the need to (re)install wget :
ᐅ docker run -it alpine /bin/sh / # apk add --update openssl fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz (1/1) Installing openssl (1.0.2k-r0) Executing busybox-1.24.2-r12.trigger OK: 5 MiB in 12 packages / # wget -q https://github.com / #
How to add trusted root ca to docker alpine?
Docker is a popular platform for deploying and managing containers. When running applications within a Docker container, it’s important to ensure the container is running in a secure environment. One way to achieve this is by configuring the Docker container to trust a custom root Certificate Authority (CA).
Method 1: Add CA certificate to the Docker image
To add a trusted root CA to a Docker Alpine image, you can follow these steps:
FROM alpine:latest RUN apk add --no-cache ca-certificates COPY certs/ca.crt /usr/local/share/ca-certificates/ RUN update-ca-certificates
This will add the CA certificate to the Docker Alpine image and update the system trust store, so that any application running in the container can use the certificate for secure communication.
Note that the above Dockerfile assumes that the CA certificate file is named ca.crt and located in the certs/ directory. You may need to adjust the paths and file names according to your specific setup.
Method 2: Use environment variables to add CA certificate at runtime
To add a trusted root CA to Docker Alpine, you can use environment variables to add the CA certificate at runtime. Here are the steps to do this:
- Create a directory to store the CA certificate. For example, let’s create a directory called certs in the root directory.
FROM alpine # Install the ca-certificates package RUN apk add --no-cache ca-certificates # Set the environment variable to add the CA certificate ENV SSL_CERT_FILE=/certs/ca.crt
cat /etc/ssl/certs/ca-certificates.crt
That’s it! You have successfully added a trusted root CA to Docker Alpine using environment variables.
Method 3: Mount a volume with the CA certificate at runtime
To add a trusted root CA to Docker alpine, you can mount a volume with the CA certificate at runtime. Here are the steps to do it:
- Create a directory on your host machine to store the CA certificate. For example, you can create a directory named ca-certificates in your home directory.
- Copy the CA certificate to the ca-certificates directory. For example, you can copy the my-ca.crt file to the directory.
cp my-ca.crt ~/ca-certificates/
- Start the Docker container with the —volume option to mount the ca-certificates directory as a volume in the container.
docker run --rm -it --volume ~/ca-certificates:/usr/local/share/ca-certificates alpine:latest
apk add --no-cache ca-certificates update-ca-certificates
- Verify that the CA certificate is added to the trusted root CAs by running the openssl command.
apk add --no-cache openssl openssl s_client -connect example.com:443 -CApath /etc/ssl/certs
That’s it! You have successfully added a trusted root CA to Docker alpine by mounting a volume with the CA certificate at runtime.
How to add trusted root CA to Docker alpine
Suppose I am at network where there is MITM SSL swaping firewall (google.com is not issued by Google, but reissued by custom CA root authority) some more details here https://security.stackexchange.com/questions/107542/is-it-common-practice-for-companies-to-mitm-https-traffic . I have simple Dockerfile:
FROM alpine:latest RUN apk --no-cache add curl
=> ERROR [2/2] RUN apk --no-cache add curl 1.0s ------ > [2/2] RUN apk --no-cache add curl: #5 0.265 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz #5 0.647 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913: #5 0.649 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied #5 0.649 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz #5 0.938 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913: #5 0.940 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied #5 0.941 ERROR: unable to select packages: #5 0.942 curl (no such package): #5 0.942 required by: world[curl] ------ executor failed running [/bin/sh -c apk --no-cache add curl]: exit code: 1
Every tutorial at Internet says that I can add own «trusted» root certificate and run update-ca-certificates . But it can be added by «apt add» only. This situation seems to me as «chicken-egg» problem.
FROM alpine:latest USER root RUN apk --no-cache add ca-certificates \ && update-ca-certificates
=> ERROR [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates 1.0s ------ > [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates: #5 0.269 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz #5 0.662 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913: #5 0.663 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz #5 0.663 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied #5 0.929 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913: #5 0.931 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied #5 0.932 ERROR: unable to select packages: #5 0.933 ca-certificates (no such package): #5 0.933 required by: world[ca-certificates] ------ executor failed running [/bin/sh -c apk --no-cache add ca-certificates && update-ca-certificates]: exit code: 1
Is there some other solution how to install update-ca-certificates tool? Or am I missing something? Thx See @kthompso answer for working solution. Working solution (with update-ca-certificates commnad) based on @kthompso answer and info from unable to add certificates to alpine linux container
FROM alpine:latest USER root # To be able to download `ca-certificates` with `apk add` command COPY my-root-ca.crt /root/my-root-ca.crt RUN cat /root/my-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt # Add again root CA with `update-ca-certificates` tool RUN apk --no-cache add ca-certificates \ && rm -rf /var/cache/apk/* COPY my-root-ca.crt /usr/local/share/ca-certificates RUN update-ca-certificates RUN apk --no-cache add curl
Edit: One solution I have in my mind is to use curl docker image with -k option and download .apk with those certificates and tools. Install it as local file. Add my root CA certificate and run update-ca-certificates . It sounds super crazy, so I think that have to be better solution 🙂
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to add CA root certification (self-signed) #260
How to add CA root certification (self-signed) #260
Comments
I have self-signed CA root certification, and I try to add this to my custom alpine docker.
FROM alpine:3.4 # Install Self-signed Root CA ADD cert/* /tmp/cert/ RUN apk add --no-cache ca-certificates && \ mkdir /usr/share/ca-certificates/extra && \ cp -R /tmp/cert/* /usr/share/ca-certificates/extra/ && \ update-ca-certificates
After building container, I try to find out my certification installed properly with following comand. but I couldn’t found my certification.
cat /etc/sslca-certificates.crt | grep CwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBDQUAA4IBAQAfcevn . (part of my cert)
Should I edit /etc/ca-certificates.conf file before update-ca-certifcates?
The text was updated successfully, but these errors were encountered: