Open tk0miya opened 1 month ago
The error will be resolved and the dev container will invoked well if I modify the bootstrap.Dockerfile
to run apk add
before modifying TLS certs.
diff -u bootstrap.Dockerfile.orig bootstrap.Dockerfile /var/folders/nz/kb5b16w96bb3f66zc4k784z40000gn/T/vsch/bootstrap-image/0.375.1
--- bootstrap.Dockerfile.orig 2024-07-29 03:18:00
+++ bootstrap.Dockerfile 2024-07-29 03:18:10
@@ -1,10 +1,5 @@
FROM mcr.microsoft.com/devcontainers/base:0-alpine-3.16
-COPY host-ca-certificates.crt /tmp/host-ca-certificates.crt
-RUN cat /tmp/host-ca-certificates.crt >> /etc/ssl/certs/ca-certificates.crt
-RUN csplit -f /usr/local/share/ca-certificates/host-ca-certificate- -b '%02d.pem' -z -s /tmp/host-ca-certificates.crt '/-----BEGIN CERTIFICATE-----/' '{*}'
-ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
-
# Avoiding OpenSSH >8.8 for compatibility for now: https://github.com/microsoft/vscode-remote-release/issues/7482
RUN echo "@old https://dl-cdn.alpinelinux.org/alpine/v3.15/main" >> /etc/apk/repositories
@@ -21,6 +16,11 @@
openssh-client-default@old \
;
+COPY host-ca-certificates.crt /tmp/host-ca-certificates.crt
+RUN cat /tmp/host-ca-certificates.crt >> /etc/ssl/certs/ca-certificates.crt
+RUN csplit -f /usr/local/share/ca-certificates/host-ca-certificate- -b '%02d.pem' -z -s /tmp/host-ca-certificates.crt '/-----BEGIN CERTIFICATE-----/' '{*}'
+ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
+
RUN npm config set cafile /etc/ssl/certs/ca-certificates.crt && cd && npm i node-pty || echo "Continuing without node-pty."
COPY .vscode-remote-containers /root/.vscode-remote-containers
I'm not sure where this certs file came from and why it's needed. But it seems broken on my environment.
We read the OS certificates with /usr/bin/security find-certificate -a -p
on macOS and add these to the container to support corporate environments with custom certificates. Not sure why these certificates break access to dl-cdn.alpinelinux.org for you.
Thank you for the hint.
As a trial, I removed one of the certificate entries from /etc/ssl/certs/ca-certificates.crt. Then "apk add" works fine. The certificate I removed is issued by Apple (CN=com.apple.kerberos.kdc).
$ openssl x509 -text -noout -in out.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1982988364 (0x7632004c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=com.apple.kerberos.kdc, O=System Identity
Validity
Not Before: Jun 12 13:35:19 2020 GMT
Not After : Jun 7 13:35:19 2040 GMT
Subject: CN=com.apple.kerberos.kdc, O=System Identity
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:8e:09:08:50:76:16:59:62:b4:16:b3:cf:49:
06:1f:fa:94:83:f4:f2:e2:25:6f:5d:e3:7c:18:04:
56:03:b9:e5:a1:b4:11:2f:38:1c:64:2d:84:e1:2b:
11:b5:e8:4b:73:27:73:6f:42:a7:ac:47:6c:ea:68:
db:98:07:d5:40:01:c7:8b:2b:20:7a:6f:9b:11:eb:
06:54:bd:22:d0:bd:85:63:c5:e6:8a:9d:78:24:bf:
88:77:8e:1a:d4:7a:6e:f3:82:e8:47:d5:3c:2b:9a:
87:de:ba:25:5d:09:71:fa:16:37:e6:1f:d3:67:c5:
a4:19:a9:4c:28:0b:7b:83:70:1b:63:6c:cd:4b:a2:
2f:5f:0a:db:64:c4:32:c1:82:0e:f1:48:60:6f:73:
b0:37:59:cc:8f:5c:18:f6:76:c0:ec:f9:b9:b8:11:
c7:22:f3:c4:b3:00:ec:c3:b7:b4:10:e0:57:ca:00:
dd:8b:e2:4c:05:d7:75:8b:dd:c0:32:77:2b:03:95:
fe:0d:5e:34:2d:31:63:4a:69:1d:40:88:ef:b7:b8:
ae:0e:7c:8d:e4:72:e5:3d:95:b6:df:bc:9e:8a:d9:
c8:ec:ef:6e:db:ef:21:38:a6:0f:93:90:e7:62:62:
48:6c:f0:8a:eb:02:e6:57:db:05:c1:37:2a:8d:8c:
70:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:com.apple.kerberos.kdc
X509v3 Extended Key Usage:
TLS Web Server Authentication, Signing KDC Response
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
93:ce:68:37:bb:dc:4b:3d:2c:96:64:04:ca:a0:5f:7a:65:63:
e6:1c:d7:4d:7d:13:61:d4:69:4a:23:ec:30:b1:53:fa:6b:4e:
96:b4:2e:6f:fe:87:b9:80:d2:de:f9:2c:cc:17:0f:4a:c0:ff:
ac:f5:ff:f0:d6:53:e9:62:ab:cb:ba:bf:80:b0:a9:c4:f1:de:
d3:01:e0:70:d3:53:17:ab:33:2b:03:37:47:b5:27:dd:09:3f:
76:e4:4e:13:57:56:34:78:b0:54:97:e5:57:50:c9:be:2f:05:
ff:53:c0:23:13:e4:d7:ab:26:46:e0:84:a9:ae:3a:ac:48:74:
80:3e:a1:9a:dc:7c:a6:43:11:9d:43:06:4c:d4:73:f4:d6:9c:
8a:7b:28:d0:ab:2f:58:3b:33:a2:bf:16:ac:f0:6e:f5:61:69:
9d:4b:0b:0a:29:b8:bd:75:16:23:da:58:4b:b1:fc:94:6c:a4:
2f:ad:bf:26:cb:2b:fa:57:10:a3:ee:35:1c:43:28:d5:8a:f8:
bd:82:fa:e9:45:60:db:ce:04:31:fa:c3:f5:a0:69:02:e9:9f:
b6:40:36:41:fd:34:3b:36:97:dc:9a:22:d6:39:5f:ea:ff:a1:
55:2f:16:e6:9c:93:b7:01:0e:da:8f:25:e5:29:48:e1:ed:8b:
16:ca:ee:89
$ openssl verify out.crt
CN=com.apple.kerberos.kdc, O=System Identity
error 18 at 0 depth lookup: self-signed certificate
error out.crt: verification failed
That shouldn't affect verification of the certificate for dl-cdn.alpinelinux.org
. What are the certificates in ca-certificates.crt
right before and right after this certificate? Does removing some other certificate instead of this also make it work or did you try one after the other to find this one? What is the size of ca-certificates.crt
?
What are the certificates in ca-certificates.crt right before and right after this certificate?
This is the last entry of my ca-certificates.crt. The before entry is CN=com.apple.systemdefault
.
Does removing some other certificate instead of this also make it work or did you try one after the other to find this one?
Surprisingly, it also works fine if I remove another one instead (ex. second from last, 3rd from last, ...)
What is the size of ca-certificates.crt?
root ➜ / $ ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 229217 Jul 25 16:48 /etc/ssl/certs/ca-certificates.crt
Does running update-ca-certificates
show any relevant output? Does it also make it work (without removing any certificate)?
Does running update-ca-certificates show any relevant output?
I got a warning. But I'm not sure this is related or not.
root ➜ / $ update-ca-certificates
WARNING: Skipping duplicate certificate in file ca-cert-ISRG_Root_X1.pem
Does it also make it work (without removing any certificate)?
Unfortunately, no. The TLS error still happens.
BTW, there are 5 certificates copied from the host to /usr/local/share/ca-certificates
on my PC.
Two are for root CA, one was installed for tech conf (unused now), and two are for Apple/macOS.
root ➜ /usr/local/share/ca-certificates $ ls
host-ca-certificate-00.pem host-ca-certificate-01.pem host-ca-certificate-02.pem host-ca-certificate-03.pem host-ca-certificate-04.pem
root ➜ /usr/local/share/ca-certificates $ openssl x509 -text -noout -in host-ca-certificate-00.pem | grep CN
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
root ➜ /usr/local/share/ca-certificates $ openssl x509 -text -noout -in host-ca-certificate-01.pem | grep CN
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject: C = US, O = Let's Encrypt, CN = R3
root ➜ /usr/local/share/ca-certificates $ openssl x509 -text -noout -in host-ca-certificate-02.pem | grep CN
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
root ➜ /usr/local/share/ca-certificates $ openssl x509 -text -noout -in host-ca-certificate-03.pem | grep CN
Issuer: CN = com.apple.systemdefault, O = System Identity
Subject: CN = com.apple.systemdefault, O = System Identity
root ➜ /usr/local/share/ca-certificates $ openssl x509 -text -noout -in host-ca-certificate-04.pem | grep CN
Issuer: CN = com.apple.kerberos.kdc, O = System Identity
Subject: CN = com.apple.kerberos.kdc, O = System Identity
In my case, removing the unused cert resolves the error. But I feel the true problem is not resolved yet. Is it still needed to investigate my error for other people?
Steps to Reproduce:
Does this issue occur when you try this locally?: Yes Does this issue occur when you try this locally and all extensions are disabled?: Yes