FYI issue reported to CBL-mariner: tdnf cannot install ca-certificates due to certificate error

microsoft / wslg

Enabling the Windows Subsystem for Linux to include support for Wayland and X server related scenarios

MIT License

9.9k stars 296 forks source link

FYI issue reported to CBL-mariner: tdnf cannot install ca-certificates due to certificate error #1221

Open KarelChanivecky opened 3 months ago

KarelChanivecky commented 3 months ago

Windows build number:

n/a

Your Distribution version:

n/a

Your WSL versions:

n/a

Steps to reproduce:

I wasn't sure how to link a bug I created elsewhere to here, but I thought your team should know about this report I just submitted to CBL-mariner. There is a detailed description there: https://github.com/microsoft/azurelinux/issues/8593

In a few words, I suspect that a CA issuer in the chain for packages.microsoft.com has changed, and this has not been reflected in the base distro yet. Thus, one cannot build WSLg. The change must have happened within the last 3 weeks because it was previously working.

WSL logs:

No response

WSL dumps:

No response

Expected behavior:

No response

Actual behavior:

n/a

PawelWMS commented 3 months ago

After a quick look, it seem that the Dockerfile is using the 2.0.20231130 version of Azure Linux, which does not contain the updated set of trusted CAs. That includes the CAs, which issued PMC's new certificates and that's causing the issue. New certs are available starting from the 2.0.20240112 version.

I think a fix would be to update the Dockerfile. @hideyukn88, what do you think?

Workaround

Manually update Dockerfile to use a newer Azure Linux image.

hideyukn88 commented 3 months ago

@KarelChanivecky, thanks for reporting the issue. @PawelWMS, yes, that sounds good, I will make that change, thanks!

kasperk81 commented 1 week ago

@PawelWMS do you guys have irc channel to talk about packages issues / status? someone updated the manifest half hour ago and now we can't install anything.

root [ / ]# curl -s https://packages.microsoft.com/azurelinux/3.0/preview/base/aarch64/repodata/repomd.xml | grep timestamp
    <timestamp>1718979344</timestamp>
    <timestamp>1718979344</timestamp>
    <timestamp>1718979344</timestamp>
root [ / ]# tdnf install nano
Loaded plugin: tdnfrepogpgcheck
nano package not found or not installed
Error(1011) : No matching packages

if it was fedora or ubuntu, we would have asked someone on irc by now.. please have some gatekeeper to protect from chaotic situation like these and provide means for us to report these issues like other distros. thanks!