Force update the image certificates bundle during build

Environment

Platform: Linux
Docker Version: 25.0.3
Node.js Version: 20.12.0
Image Tag: 20-alpine

This issue can happen in any docker image.

Expected Behavior

Any request to a valid https url with a valid certificate should return with no SSL/TLS issues.

Current Behavior

Requesting any website with a recently updated https certificate and issued from a recently updated root CA will fail.

Possible Solution

Include the appropriate command to update the certificates in the Dockerfiles. E.g.: apk add --upgrade --no-cache ca-certificates-bundle for the Alpine images.

Running this command in the latest node:20-alpine image as root will yield:

fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/1) Upgrading ca-certificates-bundle (20230506-r0 -> 20240226-r0)
OK: 10 MiB in 17 packages

This is my current workaround for this issue, it would be awesome to have this baked in the official images.

Steps to Reproduce

Given this command: docker run --rm -it node:20-alpine node -e 'const https=require("node:https");https.get("{URL}",(r)=>console.log(r.statusCode)).on("error",(e)=>console.error(e)) ;'
Replace {URL} with a website where the certificate was issued recently and the root for it is in the newly updated bundle but not in the previous bundle.
Run the command

Additional Information

Updating the base image might also give the desired result but is not as good as actually updating the certificates.
Sadly, I can't share the actual URL where I've caught this issue and couldn't find another one to better illustrate the test case. What I can say is that it is using a Goddady issued certificate that was issued yesterday (2024-03-31).

nodejs / docker-node

Force update the image certificates bundle during build #2057