Oryx
Oryx copied to clipboard
microsoft
Verisign curl errors
Fixes the following errors, which occurred every time a github action or lts image is built, adding 1.25 minutes to each image build (adds up when building all images):
#16 [final 2/4] RUN /opt/tmp/images/retry.sh "curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates" && echo "value of DEBIAN_FLAVOR is buster"
#16 sha256:e36fc93fac9f76672954859f38625137fcc21b1850f7d6b75c712c96a6d8d819
#16 0.354 retry 0
#16 0.885 curl: (6) Could not resolve host: &&
#16 5.153 curl: (6) Could not resolve host: update-ca-certificates
#16 5.154 error executing: curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
#16 20.16 retry 1
#16 20.69 curl: (6) Could not resolve host: &&
#16 24.96 curl: (6) Could not resolve host: update-ca-certificates
#16 24.96 error executing: curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
#16 39.97 retry 2
#16 40.51 curl: (6) Could not resolve host: &&
#16 44.58 curl: (6) Could not resolve host: update-ca-certificates
#16 44.58 error executing: curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
#16 59.59 retry 3
#16 60.11 curl: (6) Could not resolve host: &&
#16 64.39 curl: (6) Could not resolve host: update-ca-certificates
#16 64.39 error executing: curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
#16 79.40 retry 4
#16 79.94 curl: (6) Could not resolve host: &&
#16 84.01 curl: (6) Could not resolve host: update-ca-certificates
#16 84.01 error executing: curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
#16 99.02 retry 5
#16 99.58 curl: (6) Could not resolve host: &&
#16 103.8 curl: (6) Could not resolve host: update-ca-certificates
#16 103.9 error executing: curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083 && update-ca-certificates
#16 118.9 value of DEBIAN_FLAVOR is buster
#16 DONE 118.9s
I also investigated whether we really need this (since its been broken for a while), and I think we would be safe to remove if we want.
It was an issue prior to the following versions of .NET that prevented restores: .NET SDK 5.0.202 -- April 6, 2021. .NET 6 Preview 3 -- April 8, 2021.
According to https://github.com/NuGet/Announcements/issues/49 this has been resolved with an updated version of ca-certificates
Link to full context of issue: https://github.com/NuGet/Home/issues/10491
Let me know what you all think should be the correct move here. It seems to me like pulling and trusting an external cert from the internet seems risky.
Fixed log looks like
#16 [final 2/4] RUN /opt/tmp/images/retry.sh "curl -o /usr/local/share/ca-certificates/verisign.crt -SsL https://crt.sh/?d=1039083" && update-ca-certificates && echo "value of DEBIAN_FLAVOR is buster"
#16 sha256:d0b82b32b8ff5ba252405ee88dd7f98f902c083d97b401bda6723810a267e93d
#16 0.369 retry 0
#16 0.924 Updating certificates in /etc/ssl/certs...
#16 1.709 rehash: warning: skipping duplicate certificate in verisign.pem
#16 1.711 1 added, 0 removed; done.
#16 1.711 Running hooks in /etc/ca-certificates/update.d...
#16 1.716 done.
#16 1.719 value of DEBIAN_FLAVOR is buster
#16 DONE 1.7s