search

docker-library / buildpack-deps

MIT License
445 stars 113 forks source link

ca-certificates error in debian upstream #115

Closed nevans closed 3 years ago

nevans commented 4 years ago

There's a serious bug in debian that I'm really surprised hasn't been urgently fixed.

Debian recently (incorrectly) removed trust for GeoTrust Global CA:

GeoTrust Global CA is used by Apple, among others. E.g, try to run the following:

docker run --rm -it buildpack-deps:latest openssl s_client -verify_return_error -showcerts -connect imap.mail.me.com:993

My result:

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
139924179555456:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6095 bytes and written 315 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---

I can workaround it for Apple and other GeoTrust-signed certs by placing the following into my Dockerfile:

RUN curl --max-time 300 --retry 5 --retry-delay 1 --retry-max-time 900 --silent -o /usr/local/share/ca-certificates/geotrust.crt https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
RUN update-ca-certificates

But I don't know if other certs are incorrectly removed (it seems likely from the bugreport and changelog).

tianon commented 4 years ago

Unfortunately, as you've correctly noted, our ca-certificates package comes from Debian, so this bug really is properly reported at https://bugs.debian.org/962596. If/when the Debian package is fixed, our image will get the updated package.

tianon commented 3 years ago

(Closing, since this is properly tracked in https://bugs.debian.org/962596 and isn't something we can/will fix in our image.)