无法将证书添加到高山linux容器 [英] unable to add certificates to alpine linux container

问题描述

我在一个高山linux容器中有一个小的python应用，这是dockerfile:

I have a small python app inside an alpine linux container, here is the dockerfile:

FROM alpine

# basic flask environment
RUN apk add --no-cache bash git nginx uwsgi uwsgi-python py2-pip \
    && pip2 install --upgrade pip \
    && pip2 install flask

# application folder
ENV APP_DIR /app
ENV FLASK_APP app.py

# app dir
RUN mkdir ${APP_DIR} \
    && chown -R nginx:nginx ${APP_DIR} \
    && chmod 777 /run/ -R \
    && chmod 777 /root/ -R
VOLUME [${APP_DIR}]
WORKDIR ${APP_DIR}

# copy config files into filesystem
COPY nginx.conf /etc/nginx/nginx.conf
COPY app.ini /app.ini
COPY entrypoint.sh /entrypoint.sh

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
COPY ./cert.pem /usr/local/share/ca-certificates/mycert.pem
COPY ./key.pem /usr/local/share/ca-certificates/mykey.pem
COPY ./ssl_password_file.pass /etc/keys/global.pass
RUN update-ca-certificates

COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["/entrypoint.sh"]

2周前，此方法工作正常，但最近尝试重建它时，出现此错误:

This worked fine 2 weeks ago, but when i tried to rebuild it recently i got this error:

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping

所以我检查了那些文件，发现由于某种原因，现在文件ca-certificates.crt现在具有证书链.我在堆栈溢出上找到了此:

so I checked those files, and found that for some reason, now the file ca-certificates.crt now has a chain of certificates. I found this on stack overflow:

/etc/ssl/certs/ca-certificates.crt实际上是附加每个来自/usr/local/share/ca-certificates的单个证书.

/etc/ssl/certs/ca-certificates.crt is actually appending each individual cert from /usr/local/share/ca-certificates.

但是发生了什么变化?为什么这现在是一个问题?所以我试图恢复到旧版本的alpine linux-同样的问题.我尝试重新创建证书，尝试从容器中删除一堆证书，在更新之前检查了pem文件，以确保它们只是一个证书，而且显然是在运行

but what changed? why is this now a problem? So i tried reverting to an older version of alpine linux - same problem. I tried recreating the certificates, I tried removing a whole bunch of certificates from the container, I checked the pem files before the update to make sure they are only a single certificate, and apparently directly after running

RUN update-ca-certificates

出现许多证书.帮助吗?

many certificates appear. help ?

推荐答案

我认为以下对我有用(我在从高山延伸的blackfire/blackfire图像上添加了根证书):

I think below worked for me (I was adding a root certificate on blackfire/blackfire image which extends from alpine):

RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* \
  mkdir /usr/local/share/ca-certificates/extra
COPY .docker/other/cert_Intertrials-CA.crt /usr/local/share/ca-certificates/extra
RUN update-ca-certificates

然后我登录到该VM，并查看它是否已将其添加到合并的证书文件/etc/ssl/certs/ca-certificates.crt中(我相信我听说它从/usr/local/内部获取每个证书文件share/ca-certificates并合并到/etc/ssl/certs/ca-certificates.crt文件中.)

I then logged into that VM and see it has added it to the merged cert file, /etc/ssl/certs/ca-certificates.crt (I believe i heard it takes each cert file from inside /usr/local/share/ca-certificates and merges into the /etc/ssl/certs/ca-certificates.crt file).

现在，您可能会得到不完全包含一个证书或CRL:正在跳过"错误，但是我听说很好.

Now you will get that 'does not contain exactly one certificate or CRL: skipping' error probably, but i heard that is fine.

https://github.com/gliderlabs/docker-alpine/issues/30 提到:这只是警告，不应该影响任何事情."

https://github.com/gliderlabs/docker-alpine/issues/30 mentions: "that this is just a warning and shouldn't affect anything."

https://github.com/gliderlabs/docker-alpine/issues/52 提到:警告:ca-certificates.crt并不完全包含一个证书或CRL:只是说它是警告，这是警告.这是说ca-certificates.crt不只包含一个证书(因为它是所有证书的串联)，因此将跳过它，并且不将其包含在ca-certificates.crt中(因为它不能包含自身)."
显示的警告是正常的."

https://github.com/gliderlabs/docker-alpine/issues/52 mentions: "The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself)."
"The warning shown is normal."

这篇关于无法将证书添加到高山linux容器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！