podman build fails with SSL routines:tls_post_process_server_certificate:certificate verify failed

Question

Here is the console output (WSL2):

mark@L-R910LPKW:~/chip/toolbox-app/src $ sudo podman build . -t toolbox:0.0.1-debug
[sudo] password for mark:
STEP 1/4: FROM nginx:1.23.3-alpine-slim
STEP 2/4: RUN apk update &&     apk add --no-cache curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd &&     echo "nginx is up."  > /usr/share/nginx/html/index.html
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
484B47EDBF7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/main: Permission denied
WARNING: fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
484B47EDBF7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
2 errors; 19 distinct packages available
Error: error building at STEP "RUN apk update &&     apk add --no-cache curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd &&     echo "nginx is up."  > /usr/share/nginx/html/index.html": error while running runtime: exit status 2
mark@L-R910LPKW:~/chip/toolbox-app/src $

This happens on my work laptop where we have ZScaler installed. This means some sites are intercepted by it and it replaces the original certificates with its own ZScaler certificates.

Knowing this happens, I have installed these certificates and so there is no problem accessing these sites:

mark@L-R910LPKW:~/chip/toolbox-app/src $ find . -name APKINDEX.tar.gz
mark@L-R910LPKW:~/chip/toolbox-app/src $ curl -fLsO https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
mark@L-R910LPKW:~/chip/toolbox-app/src $ find . -name APKINDEX.tar.gz
./APKINDEX.tar.gz
mark@L-R910LPKW:~/chip/toolbox-app/src $

However, podman build seems not to find these certificates.

There is however something strange in the strace output:

mark@L-R910LPKW:~/chip/toolbox-app/src $ sudo strace --follow-forks podman build . -t toolbox:0.0.1-debug > 1.log 2>&1
mark@L-R910LPKW:~/chip/toolbox-app/src $ grep certs/ 1.log
[pid  3881] stat("/etc/ssl/certs/f36a1d00.0", 0x7ffe45493590) = -1 ENOENT (No such file or directory)
[pid  3881] stat("/etc/ssl/certs/57fdf5d1.0", 0x7ffe45493590) = -1 ENOENT (No such file or directory)
[pid  3881] stat("/etc/ssl/certs/9d934b85.0", 0x7ffe45493590) = -1 ENOENT (No such file or directory)
[pid  3881] stat("/etc/ssl/certs/9d934b85.0", 0x7ffe45493590) = -1 ENOENT (No such file or directory)
[pid  3881] stat("/etc/ssl/certs/f36a1d00.0",  <unfinished ...>
[pid  3881] stat("/etc/ssl/certs/57fdf5d1.0",  <unfinished ...>
[pid  3881] stat("/etc/ssl/certs/9d934b85.0",  <unfinished ...>
[pid  3881] stat("/etc/ssl/certs/9d934b85.0",  <unfinished ...>
mark@L-R910LPKW:~/chip/toolbox-app/src $

If I am reading it correctly, it cannot find the file /etc/ssl/certs/f36a1d00.0, however the file clearly exists:

mark@L-R910LPKW:~/chip/toolbox-app/src $ ls -l /etc/ssl/certs/f36a1d00.0
lrwxrwxrwx 1 root root 54 Oct 10 00:05 /etc/ssl/certs/f36a1d00.0 -> 'Zscaler_Intermediate_Root_CA_=zscalertwo.net=_=t=_.pem'
mark@L-R910LPKW:~/chip/toolbox-app/src $ ls -l '/etc/ssl/certs/Zscaler_Intermediate_Root_CA_=zscalertwo.net=_=t=_.pem'
lrwxrwxrwx 1 root root 87 Mar 31 12:59 '/etc/ssl/certs/Zscaler_Intermediate_Root_CA_=zscalertwo.net=_=t=_.pem' -> '/usr/local/share/ca-certificates/Zscaler Intermediate Root CA (zscalertwo.net) (t) .crt'
mark@L-R910LPKW:~/chip/toolbox-app/src $ ls -l '/usr/local/share/ca-certificates/Zscaler Intermediate Root CA (zscalertwo.net) (t) .crt'
-rw-r--r-- 1 root root 1537 Mar 31 12:59 '/usr/local/share/ca-certificates/Zscaler Intermediate Root CA (zscalertwo.net) (t) .crt'
mark@L-R910LPKW:~/chip/toolbox-app/src $

So what is the problem?

EDIT 1

My Dockerfile is:

FROM nginx:1.23.3-alpine-slim
RUN apk update && \
    apk add --no-cache curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd && \
    echo "nginx is up."  > /usr/share/nginx/html/index.html
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY ping.url /

And building it works fine on a build agent, which does not have ZScaler installed.

I think I need to install the certificates in the image itself. Will check it now.

score 2 · Answer 1 · answered Mar 31 '23 at 20:26

I was too quick on the trigger. Indeed, mounting the certificates works. Here is the correct command:

sudo podman build . -t toolbox:0.0.1-debug -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates -v /etc/ssl/certs:/etc/ssl/certs

So I had to mount /usr/local/share/ca-certificates and /etc/ssl/certs

podman build fails with SSL routines:tls_post_process_server_certificate:certificate verify failed

1 Answers1