search

crops / poky-container

A container image that is able to run bitbake/poky. It has helpers to create users and groups within the container. This is so that the output generated in the container will be readable by the user on the host.
GNU General Public License v2.0
209 stars 95 forks source link

Lets Encrypt root ssl cert expired #68

Closed jcormier closed 2 years ago

jcormier commented 3 years ago

The lets-encrypt root certificate expired 4 days ago. Since then some of our builds have been failing to checkout. https://letsencrypt.org/docs/certificate-compatibility/

The ubuntu 16.04 image appears to work but the 18.04 and 20.04 likely need to be rebuilt. For non-docker builds, an apt update && apt upgrade was enough to fix the build.

 $ docker run -it --rm crops/poky:ubuntu-16.04  git clone https://git.linaro.org/toolchain/gcc.git/
Cloning into 'gcc'...
remote: Enumerating objects: 74482, done.
...
 $ docker run -it --rm crops/poky:ubuntu-18.04  git clone https://git.linaro.org/toolchain/gcc.git/
Cloning into 'gcc'...
fatal: unable to access 'https://git.linaro.org/toolchain/gcc.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

 $ docker run -it --rm crops/poky:ubuntu-20.04  git clone https://git.linaro.org/toolchain/gcc.git/
Cloning into 'gcc'...
fatal: unable to access 'https://git.linaro.org/toolchain/gcc.git/': server certificate verification failed. CAfile: none CRLfile: none
jcormier commented 3 years ago

--Is the docker image using poky provided ca-certificates?--

pokyuser@2a66f5998236:~$ env | grep opt
SSL_CERT_FILE=/opt/poky/3.1.3/sysroots/x86_64-pokysdk-linux/etc/ssl/certs/ca-certificates.crt
GIT_SSL_CAINFO=/opt/poky/3.1.3/sysroots/x86_64-pokysdk-linux/etc/ssl/certs/ca-certificates.crt
PATH=/opt/poky/3.1.3/sysroots/x86_64-pokysdk-linux/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
OPENSSL_CONF=/opt/poky/3.1.3/sysroots/x86_64-pokysdk-linux/etc/ssl/openssl.cnf

Edit: This is for the 16.04 container only which does work.

jcormier commented 3 years ago

I was able to manually update the ca-certificates on the 20.04 image and afterward the git clone worked.

 $ docker run -it --rm --entrypoint= -u0:0 crops/poky:ubuntu-20.04 bash
root@2fc60764a6dd:/home/yoctouser# echo "flags are: [[$-]]"^C
root@2fc60764a6dd:/home/yoctouser# ca-certificates^C
root@2fc60764a6dd:/home/yoctouser#  git clone https://git.linaro.org/toolchain/gcc.git/
Cloning into 'gcc'...
fatal: unable to access 'https://git.linaro.org/toolchain/gcc.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
root@2fc60764a6dd:/home/yoctouser# apt update
Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [581 kB]
Hit:3 http://archive.ubuntu.com/ubuntu focal InRelease 
Get:4 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1,135 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]     
Get:6 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [795 kB]
Get:7 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.1 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]                   
Get:9 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [33.3 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [632 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,083 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1,581 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [6,310 B]
Get:14 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [2,668 B]
Fetched 6,207 kB in 1s (4,248 kB/s)                           
Reading package lists... Done
Building dependency tree       
Reading state information... Done
91 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@2fc60764a6dd:/home/yoctouser# apt install ca-certificates
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libexpat1-dev libpython3-dev libpython3.8 libpython3.8-dev python-pip-whl python3-dev python3-wheel python3.8-dev
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 90 not upgraded.
Need to get 145 kB of archives.
After this operation, 1,024 B disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 ca-certificates all 20210119~20.04.2 [145 kB]
Fetched 145 kB in 0s (315 kB/s)          
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 29861 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~20.04.2_all.deb ...
Unpacking ca-certificates (20210119~20.04.2) over (20210119~20.04.1) ...
Setting up ca-certificates (20210119~20.04.2) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Processing triggers for ca-certificates (20210119~20.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@2fc60764a6dd:/home/yoctouser# git clone https://git.linaro.org/toolchain/gcc.git/
Cloning into 'gcc'...
remote: Enumerating objects: 74482, done.
...
root@2fc60764a6dd:/home/yoctouser# 
root@2fc60764a6dd:/home/yoctouser# exit
moto-timo commented 2 years ago

@jcormier All of the containers have been rebuilt. Can you check if the problem persists?

jcormier commented 2 years ago

18.04 and 20.04 both work for me now

$ docker run --pull always -it --rm crops/poky:ubuntu-18.04  git clone https://git.linaro.org/toolchain/gcc.git/
ubuntu-18.04: Pulling from crops/poky
284055322776: Pull complete 
204941d49ef6: Pull complete 
53ceec708585: Pull complete 
cd9635c01b89: Pull complete 
ba54220a97ab: Pull complete 
ea52e77b9dd9: Pull complete 
5bcbb0af992f: Pull complete 
b5c58c2b5663: Pull complete 
9fc6eede4179: Pull complete 
Digest: sha256:1a6e7132ee5678c87ce0ccab1651a2161b64ba790bfc490f6fe7ec77f155e6d6
Status: Downloaded newer image for crops/poky:ubuntu-18.04
Cloning into 'gcc'...
remote: Enumerating objects: 78317, done.
...

$ docker run --pull always -it --rm crops/poky:ubuntu-20.04  git clone https://git.linaro.org/toolchain/gcc.git/
ubuntu-20.04: Pulling from crops/poky
7b1a6ab2e44d: Pull complete 
0588af319eac: Pull complete 
868fc1fc44fd: Pull complete 
4f195ee83510: Pull complete 
d767af2de12c: Pull complete 
a0d49615aecb: Pull complete 
4d7f09e8cd5c: Pull complete 
9a95c38c521e: Pull complete 
ecb836adfaba: Pull complete 
Digest: sha256:de9908e77f947a6c3d241738b3c11bbb8c9fe05a275ab5114ec9e8d159c4300f
Status: Downloaded newer image for crops/poky:ubuntu-20.04
Cloning into 'gcc'...
remote: Enumerating objects: 78317, done.
...
moto-timo commented 2 years ago

@jcormier thank you for checking and closing the issue :)