search

alpinelinux / alpine-make-vm-image

Make customized Alpine Linux disk image for virtual machines
MIT License
300 stars 101 forks source link

apk add fails with certificate verify failed error on Fedora #12

Closed axelu closed 3 years ago

axelu commented 4 years ago

Using the script on a Fedora F31 host. Invocation as follows:

$ sudo ./alpine-make-vm-image -p dropbear -c -f qcow2 ./alpine-latest-stable-virt.qcow2 ./setup.sh

> apk not found, downloading static apk-tools
...
> Attaching image ./alpine-lates-stable-virt.qcow2 as a NBD device
> Formatting image to ext4
> Mounting image at /tmp/alpine-make-vm-image.ea2BE2
> Installing base system
fetch https://nl.alpinelinux.org/alpine/v3.11/x86_64/APKINDEX.tar.gz
139868176543548:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:ssl_clnt.c:1037:
ERROR: https://nl.alpinelinux.org/alpine/v3.11: Permission denied
WARNING: Ignoring APKINDEX.17ae85cd.tar.gz: No such file or directory
fetch https://nl.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
139868176543548:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:ssl_clnt.c:1037:
ERROR: https://nl.alpinelinux.org/alpine/v3.10/main: Permission denied
WARNING: Ignoring APKINDEX.4bf59d7e.tar.gz: No such file or directory
fetch https://nl.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
139868176543548:error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed:ssl_clnt.c:1037:
ERROR: https://nl.alpinelinux.org/alpine/v3.10/community: Permission denied
WARNING: Ignoring APKINDEX.06796e8e.tar.gz: No such file or directory
ERROR: unsatisfiable constraints:
  alpine-base (missing):
    required by: world[alpine-base]
/dev/nbd15 disconnected
$

The error is on this line, which is the 1st invocation of apk:

_apk add --root . --update-cache --initdb alpine-base

For now I specified the repository URL / mirror URI as an option with http only, so my invocation looks like this to get around it:

$ sudo ./alpine-make-vm-image --mirror-uri http://nl.alpinelinux.org/alpine -p dropbear -c -f qcow2 ./alpine-latest-stable-virt.qcow2 ./setup.sh

The other workaround I have found is to copy a CA bundle into a file at /etc/ssl/cert.pem on the Fedora host. Fedora has the CA bundles originally as follows: /etc/ssl/ has one sym link certs (nothing else), and certs is a symbolic link to /etc/pki/tls/certs dir, which then has two cert bundles ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt Also, /etc/pki/tls/ has a cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.

I tried it on another non-Alpine host (Gentoo, which yet arranges the CA bundles differently) and do not have the issue, so must be related to Fedora's way of arranging the CA bundles. Maybe the issue is in the static APK tools' logic to locate the cert bundle.