docker-node icon indicating copy to clipboard operation
docker-node copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Force update the image certificates bundle during build

Open ribeirobreno opened this issue 1 year ago • 1 comments

Environment

  • Platform: Linux
  • Docker Version: 25.0.3
  • Node.js Version: 20.12.0
  • Image Tag: 20-alpine

This issue can happen in any docker image.

Expected Behavior

Any request to a valid https url with a valid certificate should return with no SSL/TLS issues.

Current Behavior

Requesting any website with a recently updated https certificate and issued from a recently updated root CA will fail.

Possible Solution

Include the appropriate command to update the certificates in the Dockerfiles. E.g.: apk add --upgrade --no-cache ca-certificates-bundle for the Alpine images.

Running this command in the latest node:20-alpine image as root will yield:

fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/1) Upgrading ca-certificates-bundle (20230506-r0 -> 20240226-r0)
OK: 10 MiB in 17 packages

This is my current workaround for this issue, it would be awesome to have this baked in the official images.

Steps to Reproduce

  • Given this command: docker run --rm -it node:20-alpine node -e 'const https=require("node:https");https.get("{URL}",(r)=>console.log(r.statusCode)).on("error",(e)=>console.error(e)) ;'
  • Replace {URL} with a website where the certificate was issued recently and the root for it is in the newly updated bundle but not in the previous bundle.
  • Run the command

Additional Information

  • Updating the base image might also give the desired result but is not as good as actually updating the certificates.
  • Sadly, I can't share the actual URL where I've caught this issue and couldn't find another one to better illustrate the test case. What I can say is that it is using a Goddady issued certificate that was issued yesterday (2024-03-31).

ribeirobreno avatar Apr 01 '24 20:04 ribeirobreno

Doing this still isn't something that would work in every scenario because the certs would be up to date for the build time of the image. This would be better achieved via a custom entrypoint script.

LaurentGoderre avatar Apr 02 '24 13:04 LaurentGoderre