Impossible to add new CA file

Question

Impossible to add new CA file

Ducatel opened this issue 9 years ago · 22 comments

Hi all,
with the last version of docker image, it's impossible to add a new CA file.

apk update && apk install curl ca-certificates \
&& curl https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem -o /usr/local/share/ca-certificates/GandiStandardSSLCA2.crt \
&& update-ca-certificates
/#  WARNING: ca-cert-GandiStandardSSLCA2.pem does not contain exactly one certificate or CRL: skipping

Have fun,
Thanks.

PS: Related to closed issue : #30

Answer 1 · 2015-09-03T09:10:10.000Z

I can confirm this using Docker image alpine:3.2. Also the case with alpine:edge.

Answer 2 · 2015-09-08T06:09:45.000Z

The error is valid and is telling you the problem, the CA is not one certificate. You need to explicitly trust everything in the chain. If you trust the entire chain, can you try breaking the certs up in to two files (one cert in each file)?

Answer 3 · 2015-10-15T14:03:07.000Z

@andyshinn I'm not sure I understand how to fix it. What are you suggesting?

Answer 4 · 2015-10-15T14:19:40.000Z

The file that is being added contains two certificates. It needs to be one certificate per file. If you have the same error, try looking at the file being added to see if it is two certificates. If it is, break them up in to two separate files and try adding both those files instead of one.

Answer 5 · 2015-10-20T00:57:57.000Z

Just confirming that the issue is in place and repeatable simply by running the following Dockerfile...

edit actually upon looking at it, looks like this might be a different issue haha. Specifically it looks like I am still seeing the behavior in #30

FROM alpine:3.2
RUN apk add --update ca-certificates && \
    rm -rf /var/cache/apk/* /tmp/*

RUN update-ca-certificates

Answer 6 · 2015-10-20T02:11:56.000Z

What is the problem with that Dockerfile? It works as expected for me. The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself).

Answer 7 · 2015-11-12T18:35:41.000Z

Same here with alpine:edge

Answer 8 · 2015-11-30T17:14:24.000Z

Closing until someone can give me a better way to reproduce. The warning shown is normal. CA certificate files can only have one certificate in them.

Answer 9 · 2015-12-02T13:43:10.000Z

I was experiencing this issue on a repo we have. My fix was to add:

mkdir -p /etc/ssl/certs/ && update-ca-certificates --fresh

And it solved.

Answer 10 · 2016-10-10T16:51:00.000Z

Its just a warning, the certificates are correctly added, explanation:

'update-ca-certificates' generates a file called 'ca-certificates.crt' with all certs inside. In this particular distro somehow it tries to add ca-certificates.crt into itself but since it has more than one cert it can't... thus showing the warning.

Answer 11 · 2017-04-10T11:10:11.000Z

i temporary solved issue with git config --global http.sslverify "false" for all git clone errors.

Answer 12 · 2018-01-22T18:18:37.000Z

Having a warning like that for such a sensitive operation is a bad thing. This is an error message bug and should be re-opened as such.

Answer 13 · 2018-08-21T21:21:38.000Z

@andyshinn you should reopen this issue, since this error is not present in other distributions. Minimal (not) working example:

Dockerfile

FROM alpine:3.8

RUN apk add --update --no-cache \
		ca-certificates \
		openssl

WORKDIR /app

# generate CA key
RUN openssl genrsa \
		-out ca.key \
		2048

# generate CA root cert
COPY ./ca.conf ./ca.conf
RUN openssl req \
		-x509 \
		-new \
		-days 3650 \
		-nodes \
		-sha256 \
		-batch \
		-config ca.conf \
		-key ca.key \
		-out ca.crt \
	&& mkdir -p /usr/local/share/ca-certificates/acme \
	&& cp ca.crt /usr/local/share/ca-certificates/acme/acme.crt \
	&& update-ca-certificates

# inspect generated CA root cert
RUN openssl x509 -noout -text -in ca.crt

ca.conf

[req]
distinguished_name  = subject
string_mask         = utf8only

[subject]
countryName                 = Country Name (2 letter code)
countryName_default         = CZ
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Czechia
localityName                = Locality Name (eg, city)
localityName_default        = Prague
organizationName            = Organization Name (eg, company)
organizationName_default    = Acme
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = acme.com
emailAddress                = Email Address
emailAddress_default        = john.doe@acme.com

The error you get during build of the image is:

Warning! Cannot copy to bundle: /usr/local/share/ca-certificates/acme
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-acme.pem does not contain exactly one certificate or CRL: skipping

When you change to FROM debian and install ca-certificates & openssl via apt, error disappears and everything is OK. Please note different content of /etc/ssl/certs between two. In case of alpine our certificate is not symlinked correctly.

Answer 14 · 2018-09-11T19:24:22.000Z

@srigi @andyshinn I'm having the same exact problem. "Cannot copy to bundle" when mounting a folder in ca-certificates which contains a single certificate file which contains only a single certificate.

Answer 15 · 2019-07-09T07:16:56.000Z

Does this problem solved?

Answer 16 · 2019-08-30T20:00:03.000Z

I have the same problem :(

Answer 17 · 2019-09-26T07:38:01.000Z

Problem is still present even in latest alpine:3.10.
Problem is not present in debian:stable.

Answer 18 · 2019-10-09T08:47:30.000Z

For me it works when I put the certificate directly in /usr/local/share/ca-certificates (no sub directory), as suggested here.

Answer 19 · 2019-12-03T00:46:14.000Z

I finaly found a solution, it's pretty nasty and i spend three hours trying to understand what was going on.

TLDR;
cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem

For some reason (that may or may not be legit, i don't know enought about alpine) The certificates are stored in two god damn locations:

/etc/ssl/certs/ca-certificates.crt the file updated by the update-ca-certificates command (the warning is not relevant)
/etc/ssl/cert.pem the file updated by god knows what !

wget and some other tools seems to use the /etc/ssl/cert.pem file as his trusted store....

On the other hand curl use the well known /etc/ssl/certs/ca-certificates.crt file...

Hope it can help some of you

PS: i've done my testing using this alpine based docker image.

Answer 20 · 2020-06-18T12:25:01.000Z

Please reopen this issue. The issue is definitely there. How can you close this without even verifying?

Answer 21 · 2020-09-23T14:38:03.000Z

FYI, this is working for me on alpine:3.12:

FROM alpine:3.12

RUN apk add --no-cache --update ca-certificates
COPY my-own-custom-ca-certificates/*.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Apparently, you can't have your own certs in a different directory or sub-directory according to this article.

Good luck!

Answer 22 · 2021-03-10T17:03:17.000Z

Hey, I just ended up here trying to fix Warning! Cannot copy to bundle: /usr/local/share/ca-certificates/acme which was not the original purpose of the issue discussed here. For those in my position, alpine does not allow to add custom certificates as subdirectories in /usr/local/share/ca-certificates/xxx but requires to be added directly in /usr/local/share/ca-certificates.

Also, busywork uses a custom certificates bundle (or at least used to) so you'll need to replace it with alpine's if you want to use wget for instance, like so:

RUN update-ca-certificates \
    && rm /etc/ssl/cert.pem \
    && ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem