search

dermotbradley / create-alpine-disk-image

Create cloud-init enabled Alpine disk images for physical machines (PCs & RPIs), VMs, and Cloud servers
GNU General Public License v2.0
93 stars 11 forks source link

Download of APKINDEX fails SSL certification validation #16

Closed tomastzn closed 2 years ago

tomastzn commented 2 years ago

Running the generated script does not produce any error, ends rather quickly (within few seconds), and the log shows that SSL validation failed with permission denied. Below are the parameters used to generate the script:

  --script-filename create.sh
  --virtual vmware
  --timezone America/Toronto
  --ssh-public-key ../id_rsa.pub
  --release 3.15
   --ntp-use-host
   --add-packages open-vm-tools

And below is the log:

[2022-03-05 18:59:36] Creating sparse disk image of 265MiB
[2022-03-05 18:59:36] Partitioning disk image for BIOS
[2022-03-05 18:59:36] Setting up loop device for disk image
[2022-03-05 18:59:36] Formatting and mounting filesystems
[2022-03-05 18:59:36]   Formatting Ext4 root filesystem on partition
[2022-03-05 18:59:36]   Mounting root filesystem onto ./chroot
[2022-03-05 18:59:36] Downloading statically built APK tool for x86_64 arch
[2022-03-05 18:59:39] Copying system's /etc/resolv.conf into chroot filesystem
[2022-03-05 18:59:39] Creating /etc/apk/repositories file inside chroot
[2022-03-05 18:59:39] Bootloader packages to be installed are: syslinux
[2022-03-05 18:59:39] Install base Alpine (plus bootloader packages) inside chroot
fetch https://alpine.global.ssl.fastly.net/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
6907320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://alpine.global.ssl.fastly.net/alpine/v3.15/main: Permission denied
WARNING: Ignoring https://alpine.global.ssl.fastly.net/alpine/v3.15/main: No such file or directory
ERROR: unable to select packages:
  alpine-base (no such package):
    required by: world[alpine-base]
  syslinux (no such package):
    required by: world[syslinux]
dermotbradley commented 2 years ago

This was an issue with apk.static having hardcoded paths for where to find a ca.pem file (for HTTPS use) which only worked on Alpine machines. I had already encountered this issue and developed a workaround - it has now been committed.

Regarding the options you are using with the script:

   --add-packages open-vm-tools

You don't need to specify this as when you specify "--virtual vmware" this will add the open-vm-tool packages and enable the init.d script for it, as can be seen here:

https://github.com/dermotbradley/create-alpine-disk-image/blob/main/lib/vm-functions#L284

and

https://github.com/dermotbradley/create-alpine-disk-image/blob/main/lib/services-functions#L1060

   --ntp-use-host

This option is not yet functional - changes are required in Alpine's (and upstream's) eudev rules and also code changes in cloud-init itself which I am working on. I will shortly be submitting these changes to both upstream and to the Alpine packages.

tomastzn commented 2 years ago

Thank you, I will give it another test in coming days.