TLS certificate error in containers

[keighrim]

Description

@marcverhagen brought this up when we met yesterday, so I did some investigation.

The problem is that when you build some CLAMS app image, you get some kind of TLS/SSL certificate errors that prevent the image from being built.

After some digging into this rabbit hole, I found that when you run clamsproject/clams-python-based images on Apple silicon, the CA certificates comes with the debian image (basis for clams-python) does not verify your connection to pypi.org or other websites.

(I don't know if the the certificate issue Marc has encountered in the past is the same kind of issue, though.)

Reproduction steps

Run this script;

if type -fP docker 2>/dev/null; then
    export dk=docker
else
    export dk=podman
fi 
printf "\n\n=== %s (%s %s @ %s): %s\n" "$(hostname)" "$(uname -s)" "$(uname -m)" "$(uname -r)" "$($dk --version)" 
for i in python:3.8-slim-buster ghcr.io/clamsproject/clams-python:0.5.3 docker.io/clamsproject/clams-python:0.5.2 ; do
    $dk rmi $i ; $dk run --rm $i pip install dateutils
done

It will try to install a simple pypi package using three different images, and only one of them (python:3.8-slim-buster) is built for x64 AND arm64. Hence, if you run the script on x64/x86 machines, it'll be okay. But on arm-based machines (such as Apple silicon), the second and third images are either unavailable to pull or failing to run pip install because of SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] ...) errors.

Expected behavior

No response

Screenshots

![DESCRIPTION](LINK.png)

Browsers

No response

OS

No response

Additional context

No response

[keighrim]

To fix this, I suggest we additionally build and push multi-platform images.