如何将受信任的根 CA 添加到 Docker alpine
How to add trusted root CA to Docker alpine
假设我在有 MITM SSL 交换防火墙的网络中(google.com 不是由 Google 发布,而是由自定义 CA 根权限重新发布)这里有更多详细信息 https://security.stackexchange.com/questions/107542/is-it-common-practice-for-companies-to-mitm-https-traffic .
我有简单的 Dockerfile:
FROM alpine:latest
RUN apk --no-cache add curl
它因 SSL 错误而严重失败
=> ERROR [2/2] RUN apk --no-cache add curl 1.0s
------
> [2/2] RUN apk --no-cache add curl:
#5 0.265 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.647 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.649 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.649 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.938 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.940 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.941 ERROR: unable to select packages:
#5 0.942 curl (no such package):
#5 0.942 required by: world[curl]
------
executor failed running [/bin/sh -c apk --no-cache add curl]: exit code: 1
Internet 上的每个教程都说我可以添加自己的“可信”根证书和 运行 update-ca-certificates。
但只能通过“apt add”添加。这种情况在我看来是“先有鸡还是先有蛋”的问题。
FROM alpine:latest
USER root
RUN apk --no-cache add ca-certificates \
&& update-ca-certificates
错误类似
=> ERROR [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates 1.0s
------
> [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates:
#5 0.269 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.662 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.663 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.663 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.929 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.931 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.932 ERROR: unable to select packages:
#5 0.933 ca-certificates (no such package):
#5 0.933 required by: world[ca-certificates]
------
executor failed running [/bin/sh -c apk --no-cache add ca-certificates && update-ca-certificates]: exit code: 1
关于如何安装 update-ca-certificates 工具,还有其他解决方案吗?还是我遗漏了什么?
感谢
请参阅@kthompso 的答案以了解工作解决方案。
基于@kthompso 回答和来自 unable to add certificates to alpine linux container
的信息的工作解决方案(使用 update-ca-certificates commnad)
FROM alpine:latest
USER root
# To be able to download `ca-certificates` with `apk add` command
COPY my-root-ca.crt /root/my-root-ca.crt
RUN cat /root/my-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt
# Add again root CA with `update-ca-certificates` tool
RUN apk --no-cache add ca-certificates \
&& rm -rf /var/cache/apk/*
COPY my-root-ca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
RUN apk --no-cache add curl
编辑:我想到的一个解决方案是使用带有 -k 选项的 curl docker 图像,并使用这些证书和工具下载 .apk。将其安装为本地文件。添加我的根 CA 证书和 运行 update-ca-certificates。这听起来超级疯狂,所以我认为必须是更好的解决方案:)
手动将您的自签名证书附加到 /etc/ssl/certs/ca-certificates.crt。
假设您的构建目录中的文件中有自签名证书 my-cert.pem:
FROM alpine:latest
COPY my-cert.pem /usr/local/share/ca-certificates/my-cert.crt
RUN cat /usr/local/share/ca-certificates/my-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
apk --no-cache add \
curl
注意:当您使用update-ca-certificates时,您需要先将您的证书文件放入/usr/local/share/ca-certificates/。
假设我在有 MITM SSL 交换防火墙的网络中(google.com 不是由 Google 发布,而是由自定义 CA 根权限重新发布)这里有更多详细信息 https://security.stackexchange.com/questions/107542/is-it-common-practice-for-companies-to-mitm-https-traffic .
我有简单的 Dockerfile:
FROM alpine:latest
RUN apk --no-cache add curl
它因 SSL 错误而严重失败
=> ERROR [2/2] RUN apk --no-cache add curl 1.0s
------
> [2/2] RUN apk --no-cache add curl:
#5 0.265 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.647 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.649 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.649 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.938 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.940 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.941 ERROR: unable to select packages:
#5 0.942 curl (no such package):
#5 0.942 required by: world[curl]
------
executor failed running [/bin/sh -c apk --no-cache add curl]: exit code: 1
Internet 上的每个教程都说我可以添加自己的“可信”根证书和 运行 update-ca-certificates。
但只能通过“apt add”添加。这种情况在我看来是“先有鸡还是先有蛋”的问题。
FROM alpine:latest
USER root
RUN apk --no-cache add ca-certificates \
&& update-ca-certificates
错误类似
=> ERROR [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates 1.0s
------
> [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates:
#5 0.269 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.662 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.663 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.663 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.929 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.931 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.932 ERROR: unable to select packages:
#5 0.933 ca-certificates (no such package):
#5 0.933 required by: world[ca-certificates]
------
executor failed running [/bin/sh -c apk --no-cache add ca-certificates && update-ca-certificates]: exit code: 1
关于如何安装 update-ca-certificates 工具,还有其他解决方案吗?还是我遗漏了什么?
感谢
请参阅@kthompso 的答案以了解工作解决方案。
基于@kthompso 回答和来自 unable to add certificates to alpine linux container
的信息的工作解决方案(使用update-ca-certificates commnad)
FROM alpine:latest
USER root
# To be able to download `ca-certificates` with `apk add` command
COPY my-root-ca.crt /root/my-root-ca.crt
RUN cat /root/my-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt
# Add again root CA with `update-ca-certificates` tool
RUN apk --no-cache add ca-certificates \
&& rm -rf /var/cache/apk/*
COPY my-root-ca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
RUN apk --no-cache add curl
编辑:我想到的一个解决方案是使用带有 -k 选项的 curl docker 图像,并使用这些证书和工具下载 .apk。将其安装为本地文件。添加我的根 CA 证书和 运行 update-ca-certificates。这听起来超级疯狂,所以我认为必须是更好的解决方案:)
手动将您的自签名证书附加到 /etc/ssl/certs/ca-certificates.crt。
假设您的构建目录中的文件中有自签名证书 my-cert.pem:
FROM alpine:latest
COPY my-cert.pem /usr/local/share/ca-certificates/my-cert.crt
RUN cat /usr/local/share/ca-certificates/my-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
apk --no-cache add \
curl
注意:当您使用update-ca-certificates时,您需要先将您的证书文件放入/usr/local/share/ca-certificates/。