gliderlabs/docker-alpine

"apk add" fails certificate validation

rchekaluk opened this issue · 1 comments

rchekaluk commented

This Dockerfile:

FROM gliderlabs/alpine:3.7
RUN apk add --update curl

Is now failing due to a certificate problem (though it worked recently on 2019-11-21):

Step 1/2 : FROM gliderlabs/alpine:3.7
 ---> 9d07e2f1fe48
Step 2/2 : RUN apk add --update curl
 ---> Running in 9642687e75b7
fetch http://alpine.gliderlabs.com/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
140665608313804:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:ssl_clnt.c:1026:

Moreover, this CLI illustrates the failure more clearly:

$ wget http://alpine.gliderlabs.com/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
--2019-11-25 15:51:46--  http://alpine.gliderlabs.com/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
Resolving alpine.gliderlabs.com (alpine.gliderlabs.com)... 151.101.64.249, 151.101.128.249, 151.101.192.249, ...
Connecting to alpine.gliderlabs.com (alpine.gliderlabs.com)|151.101.64.249|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://alpine.gliderlabs.com/alpine/v3.7/main/x86_64/APKINDEX.tar.gz [following]
--2019-11-25 15:51:46--  https://alpine.gliderlabs.com/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
Connecting to alpine.gliderlabs.com (alpine.gliderlabs.com)|151.101.64.249|:443... connected.
ERROR: no certificate subject alternative name matches
	requested host name ‘alpine.gliderlabs.com’.
To connect to alpine.gliderlabs.com insecurely, use `--no-check-certificate'.

The current certificate appears to have been recently upgraded, but does not contain a Subject Alternative Name covering alpine.gliderlabs.com:

$ host=alpine.gliderlabs.com
$ echo "QUIT" | openssl s_client -connect $host:443 -showcerts 2>&1 | sed -n "/BEGIN CERTIFICATE/,/END CERTIFICATE/p" > /tmp/$host.pem
$ openssl x509 -in /tmp/$host.pem -noout -text 

REDACTED FOR BREVITY
            X509v3 Subject Alternative Name: 
                DNS:default.ssl.fastly.net, DNS:fastly.com, DNS:*.a.ssl.fastly.net, DNS:*.hosts.fastly.net, DNS:*.global.ssl.fastly.net, DNS:*.fastly.com, DNS:a.ssl.fastly.net, DNS:purge.fastly.net, DNS:mirrors.fastly.net, DNS:control.fastly.net, DNS:tools.fastly.net
REDACTED FOR BREVITY
znorris commented

I'd add to this and say, when attempting to use a scheme of http I receive a recursive 301.

Is there a specific reason the image doesn't use official apk mirrors?

Edit: Would it be better to pin the gliderlabs mirrors, rather than replace the official ones?