aws-codebuild-docker-images icon indicating copy to clipboard operation
aws-codebuild-docker-images copied to clipboard
verified publisher icon aws

aws/codebuild/standard:4.0|5.0: ca-certificates are not up-to-date on AWS codebuild runners

Open ebarault opened this issue 4 years ago • 2 comments

Describe the bug Following DST Root CA X3 Expiration (September 2021), requests executed to sites/resources protected by a Let's Encrypt certificate end with a certificate error when running in AWS codebuild curated images aws/codebuild/standard:4.0|5.0

fatal: unable to access 'xxxxxxxx': server certificate verification failed. CAfile: none CRLfile: none

Updating the ca-certificates package in a build step fixes the issue:

apt-get update
apt-get -qq install -y ca-certificates

To Reproduce Steps to reproduce the behavior:

  • try to access a site protected by a Let's Encrypt certificate from a codebuild runner, running one of the standard:4.0 or standard:5.0 curated images

Expected behavior

The ca-certificates should be up-to-date in the curated aws codebuild images running on the codebuild runners The requests should complete without errors.

Logs fatal: unable to access 'xxxxxxxx': server certificate verification failed. CAfile: none CRLfile: none

Platform (please complete the following information):

  • OS: Linux x86

Additional context https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

ebarault avatar Oct 06 '21 09:10 ebarault

I'm able to reproduce this with the build command curl https://gopkg.in/yaml.v3 in the latest aws/codebuild/amazonlinux2-x86_64-standard:3.0 image, but it seems like the latest aws/codebuild/standard:5.0 can run the command successfully (perhaps the endpoint you are using behaves differently). We are in the process of releasing a new set of images that were built with the latest apt-get certificates and I verified that they can all run the above build command. I'll update this issue when they are fully released.

leoherran-aws avatar Oct 18 '21 15:10 leoherran-aws

Looks to be related to the current local (and likely your own Master branch's) build failures with aws/codebuild/standard:4.0 and aws/codebuild/standard:5.0

#456

#52 26.00 update-alternatives: using /usr/lib/jvm/java-1.8.0-amazon-corretto/bin/xjc to provide /usr/bin/xjc (xjc) in auto mode
#52 26.07 + apt-get install -y -qq --no-install-recommends ca-certificates-java
#52 29.92 Selecting previously unselected package ca-certificates-java.
(Reading database ... 50446 files and directories currently installed.)
#52 29.95 Preparing to unpack .../ca-certificates-java_20180516ubuntu1~18.04.1_all.deb ...
#52 29.96 Unpacking ca-certificates-java (20180516ubuntu1~18.04.1) ...
#52 30.01 Setting up ca-certificates-java (20180516ubuntu1~18.04.1) ...
#52 30.04 head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
#52 30.08 /var/lib/dpkg/info/ca-certificates-java.postinst: line 89: java: command not found
#52 30.08 dpkg: error processing package ca-certificates-java (--configure):
#52 30.08  installed ca-certificates-java package post-installation script subprocess returned error exit status 127
#52 30.08 Processing triggers for ca-certificates (20210119~18.04.2) ...
#52 30.09 Updating certificates in /etc/ssl/certs...
#52 30.73 0 added, 0 removed; done.
#52 30.73 Running hooks in /etc/ca-certificates/update.d...
#52 30.74 
#52 30.80 /etc/ca-certificates/update.d/jks-keystore: 82: /etc/ca-certificates/update.d/jks-keystore: java: not found
#52 30.80 E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
#52 30.80 Updating Mono key store
#52 30.87 Mono Certificate Store Sync - version 6.12.0.122
#52 30.87 Populate Mono certificate store from a concatenated list of certificates.
#52 30.87 Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
#52 30.87 
#52 30.92 Importing into legacy system store:
#52 30.97 I already trust 128, your new list has 128
#52 30.99 Import process completed.
#52 30.99 
#52 30.99 Importing into BTLS system store:
#52 31.03 I already trust 128, your new list has 128
#52 31.04 Import process completed.
#52 31.05 Done
#52 31.05 done.
#52 31.07 Errors were encountered while processing:
#52 31.07  ca-certificates-java
#52 31.09 E: Sub-process /usr/bin/dpkg returned an error code (1)
------
executor failed running [/bin/sh -c set -ex     && apt-get update     && apt-get install -y -qq software-properties-common apt-utils     && wget -qO- https://apt.corretto.aws/corretto.key | apt-key add -     && add-apt-repository 'deb https://apt.corretto.aws stable main'     && apt-get update     && apt-get install -y -qq java-1.8.0-amazon-corretto-jdk     && apt-get install -y -qq --no-install-recommends ca-certificates-java     && update-ca-certificates -f     && dpkg --add-architecture i386     && apt-get update     && apt-get install -y -qq --force-yes libc6-i386        lib32stdc++6 lib32gcc1 lib32ncurses5        lib32z1 libqt5widgets5]: exit code: 100
make: *** [build_4_0_standard_image] Error 1

% make build_4_0_standard_image

jbeninson avatar Jan 18 '22 23:01 jbeninson

Please let us know if you are still encountering this issue. We can't seem to recreate the issue you are running into, at least, not with the supported images that we have in the repository. Marking resolved.

subinataws avatar Apr 25 '23 23:04 subinataws