Missing root CA in Buster images

[sebelsc]

There might me a missing Root CA in the images openjdk:11.0.8-jdk-buster and openjdk:11.0.8-buster (those are the two I tested the issue might be in other images as well). We discovered this issue in an application that sends push notiifcations to Apples push infrastructure using the URL api.push.apple.com. This failed when using those two images because of an SSL error which boiled down to this:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
    at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[na:na]
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[na:na]
    at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.internal.tcnative.SSL.readFromSSL(Native Method) ~[netty-tcnative-boringssl-static-2.0.34.Final.jar:2.0.34.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:596) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1203) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1325) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1368) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1380) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
    ... 21 common frames omitted
    Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1288) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1249) ~[netty-handler-4.1.52.Final.jar:4.1.52.Final]
        ... 25 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
    ... 35 common frames omitted

After further testing with openssl in these two images I could verify this problem by calling: openssl s_client -connect api.push.apple.com:443 Which lead to this output:

CONNECTED(00000003)
depth=1 CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US
verify return:1
---
Certificate chain
 0 s:CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US
   i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
   i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIljCCB36gAwIBAgIQdSHfCVs4iuOJe4Ja2rbxdjANBgkqhkiG9w0BAQsFADBi
MRwwGgYDVQQDExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMC
VVMwHhcNMTkwMzE0MTc1MDEwWhcNMjEwNDEyMTc1MDEwWjB7MRswGQYDVQQDDBJh
cGkucHVzaC5hcHBsZS5jb20xJTAjBgNVBAsMHG1hbmFnZW1lbnQ6aWRtcy5ncm91
cC41MzM1OTkxEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3Ju
aWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tWbNpQnuwvVCjPhif9E3mYASUhteM5FWWFDIjkZ8dHPuhXnk8NX46My2VTQeEHS8
OGgfG8ruloU7syiRZSkCkq6WaosPXMJ+eBRbHVqGAIClBE/LdCd6uMoMYbMOX3W2
ch9Q5mDrO0IOCOEnGhzFQNwF0xfRcRwG1+tw7CQpIfR9XoKkyxBZ8LQfCX7NNcmH
DHS26F9jFaCrS/CnK/rzTl31PBJOhq42VsqfYo9vGp0JQxJgN9R6/EAvEDwCmc5L
U5ZBxMVo2LvH9mXn3J7+VuZz1yEsLSQfLhWiH9mDuEAWn5MGJU9CjnY8zdvEAxk7
OVfwhcn6L/SrMAZlHja2VwIDAQABo4IFLTCCBSkwDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBTYepREfJBwkBae3RecAUQDhtYqKTB+BggrBgEFBQcBAQRyMHAwNAYI
KwYBBQUHMAKGKGh0dHA6Ly9jZXJ0cy5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5k
ZXIwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBw
bGVpc3RjYTJnMTIwMHwGA1UdEQR1MHOCEmFwaS5wdXNoLmFwcGxlLmNvbYIYYXBp
LWNhcnJ5LnB1c2guYXBwbGUuY29tghVtci1hcGkucHVzaC5hcHBsZS5jb22CFXB2
LWFwaS5wdXNoLmFwcGxlLmNvbYIVc3QtYXBpLnB1c2guYXBwbGUuY29tMIH/BgNV
HSAEgfcwgfQwgfEGCiqGSIb3Y2QFCwQwgeIwgaQGCCsGAQUFBwICMIGXDIGUUmVs
aWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBh
Y2NlcHRhbmNlIG9mIGFueSBhcHBsaWNhYmxlIHRlcm1zIGFuZCBjb25kaXRpb25z
IG9mIHVzZSBhbmQvb3IgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRz
LjA5BggrBgEFBQcCARYtaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVh
dXRob3JpdHkvcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA3BgNV
HR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZWlzdGNhMmcx
LmNybDAdBgNVHQ4EFgQUrKXVnJ+gzUh8UQ2Yfz/rnudZxT4wDgYDVR0PAQH/BAQD
AgWgMIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdQCkuQmQtBhYFIe7E6LMZ3AK
PDWYBPkb37jjd80OyA3cEAAAAWl9XIxaAAAEAwBGMEQCID+yu2PPyWszJnLFzyue
exKgs0Id8nTEUE6GSyNx/VBjAiBB13SWmcPE95+UFdQ7VHP6gi9K2afgIUVtAXXF
RM72dgB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABaX1cjFsA
AAQDAEgwRgIhAPewM38VBwGeNFF711tlWb7fB7n7DmVyiTdLfsVQIWtWAiEA80WF
wc7XZECdkDCDcGT/mCYalBNqwvTi4vKQiI/iTdwAdgBVgdTCFpA2AUrqC5tXPFPw
wOQ4eHAlCBcvo6odBxPTDAAAAWl9XI8OAAAEAwBHMEUCIQCax8e/z0tOEV8rP/nX
AC6suCycpuNqXQYLE8ps7S1n4gIgZl/3/my5AzCV1FfGcx1qCAAomJkAmfob4o2J
qwNkscoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWl9XI9+
AAAEAwBHMEUCIAaCMiskTWo2MxgG1BDte1DHNwS4zAz6BuLzTf4oioshAiEA1IE2
NicxAfkVjHXe9mnDjBrm8m+ZBcUeM8RlgL+BmqwAdwBElGUusO7Or8RAB9io/ijA
2uaCvtjLMbU/0zOWtbaBqAAAAWl9XIxEAAAEAwBIMEYCIQCtgJpEU7feE/rovZN4
k93/zvhwVuUTkjOtFoKB0vkWvgIhALw0Pj/zdWLrax7wBInSqLVHWwERi7+kOsV/
GJrOuHKXMA0GCSqGSIb3DQEBCwUAA4IBAQB1iPfHUYVmVSlCXF1V06Z5Zr/Cualz
JGaLKm31trj7xS4+uQOU0pXRcecyKrpB+NgAQY2E+hlf83boXGlFytvgBuM9j3H/
tAb2S5HNum/AqP1VcYpUp6g46wpH1Fhau+XqVjjxD0xwC+CyAgUENGqMav1ly9A1
ZOGzDVGnNDb5EDx/Qbe6mxqp6Ls5NncAJ2cSlDKv4yhmqRA/sUf+xop9uLwAoOVz
8ykBTuJ904ys1gYTYem57o3kfFy3kpMMReUlTbt53zxY1/7v90UBoQzkqnegqD+N
Ygw1YsWvv4tTXCMGApjBxB+QMksN1OD7wpOl6NQZVtOG7T31COPQ4X+M
-----END CERTIFICATE-----
subject=CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US

issuer=CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US

---
Acceptable client certificate CA names
C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA
CN = Apple Application Integration 2 Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US
CN = Apple Corporate Authentication CA 1, OU = Certification Authority, O = Apple Inc., C = US
C = US, O = Apple Inc., OU = Apple Worldwide Developer Relations, CN = Apple Worldwide Developer Relations Certification Authority
CN = Apple Corporate Root CA, OU = Certification Authority, O = Apple Inc., C = US
C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Application Integration Certification Authority
Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4599 bytes and written 420 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

This commands works fine on my local machine.

Updating the ca-certificates did not help with this problem.

[wglambert]

See https://github.com/docker-library/buildpack-deps/issues/115 There's an open bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596

this root CA is also used in Apple's APNS (Push) endpoints. With the update, systems are not able to connect anymore to this service to deliver notifications to iOS and macOS devices.

Someone posted a workaround here https://github.com/docker-library/tomcat/issues/208#issuecomment-679369878

[sebelsc]

Oh, looks like I googled the wrong phrases, I did not find anything. Thank you for the help and information.

[wglambert]

Going to close to consolidate to https://github.com/docker-library/buildpack-deps/issues/115 and https://github.com/docker-library/tomcat/issues/208