Closed Kavakuo closed 3 years ago
Can anyone reproduce this behavior?
Yes I also see this issue only on my Raspberry Pi. What also seems to fix it is apt-get remove/install ca-certificates. Updating the base image doesn't seem to fix it.
this might be a problem of using cross building?
That could be a cause. Might have a look later at what happens when the image is build at the native platform instead of using BuildKit/QEMU to build it.
It seems to be only an issue when building the image with QEMU.
It seems openssl rehash
fails when installing the packages in QEMU. As a result some hash based symlinks are missing in /etc/ssl/certs
.
If you run openssl rehash
in the container afterwards, the certificates again properly work. There's also a c_rehash
command that can be used to update them. That does seem to work well in QEMU, so we might want to run it during the build as workaround to make sure the hashes are there.
I also found this discussion about it: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1667178.html
Summary
Hey, I noticed problems with certain OpenHab addons that are caused by TLS certificate validation. I tried to figured out what the problem is, but the behavior is quite strange.
The following command fails with the OpenHab Docker image (latest-debian, currently 3.0.1) running on my Raspberry Pi 4.
This indicates that there are some problems with the TLS root certificates on the OS layer. This also explains that OpenHab addons fail to perform a TLS handshake. The first thing I tried was to fix this, turns out that it can be solved by the following:
The strange thing is that the problem does not occur with the same image on my (Intel) Mac and the problem also does not occur when I build the OpenHab image directly on my Raspberry.
Can anyone reproduce this behavior?
Expected Behavior
TLS Handhshakes should work without any problem.
Possible Solution
Adding
update-ca-certificates --fresh
to the Dockerfile should fix the problem. But I suggest to find the root problem first. Since it works on a different architecture with the same image, this might be a problem of using cross building?Steps to Reproduce
Your Environment
Image
Docker Host