Resolving missing ca-certificates dependency that causes client ssl verify to fail #216
Conversation
|
Sorry for the bump, making sure this wasn't overlooked @tianon, I can understand if this is not a priority 😄 Thanks! |
|
Somehow I missed this completely and appreciate the bump! 🙇 ❤️ I think we should move the installation up to a separate layer (before Also, I'm not thrilled about the removal of the |
|
No problem! Ah yes indeed I missed that, thanks for the pointers! |
Yeah, sorry, I meant exactly that 😅 Maybe even a comment to remind us why so we don't remove it in the future 👀 diff --git a/Dockerfile.template b/Dockerfile.template
index f4154c8..0f5afbb 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,6 +1,13 @@
{{ if env.variant == "alpine" then ( -}}
FROM alpine:{{ .alpine }}
+# runtime dependencies
+RUN set -eux; \
+ apk add --no-cache \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+ ca-certificates \
+ ;
+
# roughly, https://git.alpinelinux.org/aports/tree/main/haproxy/haproxy.pre-install?h=3.12-stable
RUN set -eux; \
addgroup --gid 99 --system haproxy; \
@@ -18,6 +25,15 @@ RUN set -eux; \
{{ ) else ( -}}
FROM debian:{{ .debian }}
+# runtime dependencies
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+# @system-ca: https://github.com/docker-library/haproxy/pull/216
+ ca-certificates \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
# roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
RUN set -eux; \
groupadd --gid 99 --system haproxy; \ |
|
Hmm, thinking about it more there's a pretty compelling argument for not installing it on Alpine, but I don't feel super strongly about it one way or another -- @yosifkit? |
It seems fine to install it. $ docker images haproxy
REPOSITORY TAG IMAGE ID CREATED SIZE
haproxy alpine aa6c154774d2 2 days ago 25.3MB
$ docker run -it --user root haproxy:alpine sh
# apk add --no-cache ca-certificates
...
(1/1) Installing ca-certificates (20230506-r0)
...
# apk info ca-certificates
...
ca-certificates-20230506-r0 installed size:
688 KiB |
…erify to fail Without this package, '/etc/ssl/certs' is either empty or incomplete, and so does the @system-ca variable within haproxy. This results in some haproxy client ssl features not working out of the box. For instance, using httpclient with https endpoints will not work with default config since ssl verify is on by default. See PR docker-library#216. Co-authored-by: Tianon Gravi <[email protected]>
|
Thank you very much for your help guys! |
|
Your patience and long-suffering is appreciated! ❤️ |
Changes: - docker-library/haproxy@79a32f7: Merge pull request docker-library/haproxy#216 from Darlelet/ca-certs - docker-library/haproxy@71cd019: Resolving missing ca-certificates dependency that causes client ssl verify to fail
Changes: - docker-library/haproxy@79a32f7: Merge pull request docker-library/haproxy#216 from Darlelet/ca-certs - docker-library/haproxy@71cd019: Resolving missing ca-certificates dependency that causes client ssl verify to fail
Without this package,
/etc/ssl/certsis either empty or incomplete, and so does the@system-cavariable within haproxy.This results in some haproxy client ssl features not working out of the box. For instance, using httpclient with https endpoints will not work with default config since ssl verify is on by default.
For the debian image:
ca-certificatespackage was already installed as a build dependency, but all build dependencies are automatically removed during the image cleanup, so I moved it out of the build dependencies.opensslbinary is a hard dependency forca-certificatespackage (probably to regen/reconfigure the certs), we manually remove it during the image cleanup usingrm.How to test it:
show ssl ca-file @system-cahaproxy cli should not return errors and should display a large list of CA certificates (more than 1)