将 Let's Encrypt 证书添加到 debian:9 docker 图像
Adding Let's Encrypt certificates to debian:9 docker image
我想构建一个基于debian:9的镜像,并从以下链接添加let's encrypt证书:
https://letsencrypt.org/certs/isrgrootx1.pem.txt
https://letsencrypt.org/certs/trustid-x3-root.pem.txt
Afaik,这些应该转换为 .crt 格式,所以我 运行:
▶ openssl x509 -in isrgrootx1.pem -inform PEM -out isrgrootx1.crt
▶ openssl x509 -in trustid-x3-root.pem -inform PEM -out trustid-x3-root.crt
然后我使用以下 Dockerfile
构建图像
FROM debian:9
RUN mkdir -p /usr/share/ca-certificates/extra
RUN apt-get update && apt-get install ca-certificates -y --no-install-recommends
COPY isrgrootx1.crt /usr/share/ca-certificates/extra/isrgrootx1.crt
COPY trustid-x3-root.crt /usr/share/ca-certificates/extra/trustid-x3-root.crt
RUN update-ca-certificates
但是,在构建结束时我发现没有添加额外的证书:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
使用 this 命令
在 运行ning 容器中列出它们时还有更多内容
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
我没有看到任何 Let's Encrypt 安装的证书。
我是否遗漏了任何步骤?
我相信你想要的路径是/usr/local/share/ca-certificates。以下显示添加了 2 个证书:
FROM debian:9
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
openssl \
&& mkdir -p /usr/local/share/ca-certificates
ADD https://letsencrypt.org/certs/isrgrootx1.pem.txt /usr/local/share/ca-certificates/isrgrootx1.pem
ADD https://letsencrypt.org/certs/trustid-x3-root.pem.txt /usr/local/share/ca-certificates/trustid-x3-root.pem
RUN cd /usr/local/share/ca-certificates \
&& openssl x509 -in isrgrootx1.pem -inform PEM -out isrgrootx1.crt \
&& openssl x509 -in trustid-x3-root.pem -inform PEM -out trustid-x3-root.crt \
&& update-ca-certificates
注意,您下载的证书在主题中没有说让加密:
root@4544afdd06e3:/# openssl x509 -noout -subject </usr/local/share/ca-certificates/isrgrootx1.pem
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
root@4544afdd06e3:/# openssl x509 -noout -subject </usr/local/share/ca-certificates/trustid-x3-root.pem
subject=O = Digital Signature Trust Co., CN = DST Root CA X3
我想构建一个基于debian:9的镜像,并从以下链接添加let's encrypt证书:
https://letsencrypt.org/certs/isrgrootx1.pem.txt
https://letsencrypt.org/certs/trustid-x3-root.pem.txt
Afaik,这些应该转换为 .crt 格式,所以我 运行:
▶ openssl x509 -in isrgrootx1.pem -inform PEM -out isrgrootx1.crt
▶ openssl x509 -in trustid-x3-root.pem -inform PEM -out trustid-x3-root.crt
然后我使用以下 Dockerfile
FROM debian:9
RUN mkdir -p /usr/share/ca-certificates/extra
RUN apt-get update && apt-get install ca-certificates -y --no-install-recommends
COPY isrgrootx1.crt /usr/share/ca-certificates/extra/isrgrootx1.crt
COPY trustid-x3-root.crt /usr/share/ca-certificates/extra/trustid-x3-root.crt
RUN update-ca-certificates
但是,在构建结束时我发现没有添加额外的证书:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
使用 this 命令
在 运行ning 容器中列出它们时还有更多内容awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
我没有看到任何 Let's Encrypt 安装的证书。
我是否遗漏了任何步骤?
我相信你想要的路径是/usr/local/share/ca-certificates。以下显示添加了 2 个证书:
FROM debian:9
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
openssl \
&& mkdir -p /usr/local/share/ca-certificates
ADD https://letsencrypt.org/certs/isrgrootx1.pem.txt /usr/local/share/ca-certificates/isrgrootx1.pem
ADD https://letsencrypt.org/certs/trustid-x3-root.pem.txt /usr/local/share/ca-certificates/trustid-x3-root.pem
RUN cd /usr/local/share/ca-certificates \
&& openssl x509 -in isrgrootx1.pem -inform PEM -out isrgrootx1.crt \
&& openssl x509 -in trustid-x3-root.pem -inform PEM -out trustid-x3-root.crt \
&& update-ca-certificates
注意,您下载的证书在主题中没有说让加密:
root@4544afdd06e3:/# openssl x509 -noout -subject </usr/local/share/ca-certificates/isrgrootx1.pem
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
root@4544afdd06e3:/# openssl x509 -noout -subject </usr/local/share/ca-certificates/trustid-x3-root.pem
subject=O = Digital Signature Trust Co., CN = DST Root CA X3