TLS root CA certificates problem

Kavakuo commented 3 years ago

Summary

Hey, I noticed problems with certain OpenHab addons that are caused by TLS certificate validation. I tried to figured out what the problem is, but the behavior is quite strange.

The following command fails with the OpenHab Docker image (latest-debian, currently 3.0.1) running on my Raspberry Pi 4.

$ docker run --rm -it --entrypoint /bin/bash openhab/openhab -c "curl https://google.com"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This indicates that there are some problems with the TLS root certificates on the OS layer. This also explains that OpenHab addons fail to perform a TLS handshake. The first thing I tried was to fix this, turns out that it can be solved by the following:

$  docker run --rm -it --entrypoint /bin/bash openhab/openhab -c "update-ca-certificates --fresh && curl https://google.com"
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
126 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

The strange thing is that the problem does not occur with the same image on my (Intel) Mac and the problem also does not occur when I build the OpenHab image directly on my Raspberry.

Can anyone reproduce this behavior?

Expected Behavior

TLS Handhshakes should work without any problem.

Possible Solution

Adding update-ca-certificates --fresh to the Dockerfile should fix the problem. But I suggest to find the root problem first. Since it works on a different architecture with the same image, this might be a problem of using cross building?

Steps to Reproduce

Execute the following on a Rapsberry Pi (4):

docker run --rm -it --entrypoint /bin/bash openhab/openhab -c "curl https://google.com"

Your Environment

Image

openHAB version: 3.0.1
Image tag used: latest

Docker Host

Operating System: Raspbian GNU/Linux 10 (buster)
Docker Version: Docker version 20.10.2, build 2291f61
Kernel Version: 5.4.83-v7l+ #1379 SMP Mon Dec 14 13:11:54 GMT 2020 armv7l GNU/Linux
Architecture: armv7l

wborn commented 3 years ago

Can anyone reproduce this behavior?

Yes I also see this issue only on my Raspberry Pi. What also seems to fix it is apt-get remove/install ca-certificates. Updating the base image doesn't seem to fix it.

this might be a problem of using cross building?

That could be a cause. Might have a look later at what happens when the image is build at the native platform instead of using BuildKit/QEMU to build it.

wborn commented 3 years ago

It seems to be only an issue when building the image with QEMU.

It seems openssl rehash fails when installing the packages in QEMU. As a result some hash based symlinks are missing in /etc/ssl/certs.

If you run openssl rehash in the container afterwards, the certificates again properly work. There's also a c_rehash command that can be used to update them. That does seem to work well in QEMU, so we might want to run it during the build as workaround to make sure the hashes are there.

I also found this discussion about it: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1667178.html

openhab / openhab-docker