假设我所在的网络存在 MITM SSL 交换防火墙(google.com 不是由 Google 颁发,而是由自定义 CA 根权限重新颁发),这里有更多详细信息 https://security.stackexchange.com/questions/107542/公司到 MITM-https-traffic 的常见做法是否是 .
我有简单的 Dockerfile:
FROM alpine:latest
RUN apk --no-cache add curl
它因 SSL 错误而严重失败
=> ERROR [2/2] RUN apk --no-cache add curl 1.0s
------
> [2/2] RUN apk --no-cache add curl:
#5 0.265 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.647 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.649 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.649 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.938 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.940 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.941 ERROR: unable to select packages:
#5 0.942 curl (no such package):
#5 0.942 required by: world[curl]
------
executor failed running [/bin/sh -c apk --no-cache add curl]: exit code: 1
互联网上的每个教程都说我可以添加自己的“受信任”根证书并运行
update-ca-certificates但只能通过“apt add”添加。这种情况在我看来就是“先有鸡还是先有蛋”的问题。
FROM alpine:latest
USER root
RUN apk --no-cache add ca-certificates \
&& update-ca-certificates
错误类似
=> ERROR [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates 1.0s
------
> [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates:
#5 0.269 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.662 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.663 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.663 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.929 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.931 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.932 ERROR: unable to select packages:
#5 0.933 ca-certificates (no such package):
#5 0.933 required by: world[ca-certificates]
------
executor failed running [/bin/sh -c apk --no-cache add ca-certificates && update-ca-certificates]: exit code: 1
还有其他解决方案如何安装
update-ca-certificates谢谢
请参阅@kthompso 答案以获取工作解决方案。
工作解决方案(使用
update-ca-certificatesFROM alpine:latest
USER root
# To be able to download `ca-certificates` with `apk add` command
COPY my-root-ca.crt /root/my-root-ca.crt
RUN cat /root/my-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt
# Add again root CA with `update-ca-certificates` tool
RUN apk --no-cache add ca-certificates \
&& rm -rf /var/cache/apk/*
COPY my-root-ca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
RUN apk --no-cache add curl
编辑:我想到的一个解决方案是使用带有
-k
.apkupdate-ca-certificates手动将您的自签名证书附加到
/etc/ssl/certs/ca-certificates.crt假设您的构建目录中名为
my-cert.pemFROM alpine:latest
COPY my-cert.pem /usr/local/share/ca-certificates/my-cert.crt
RUN cat /usr/local/share/ca-certificates/my-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
apk --no-cache add \
curl
注意: 当您使用
update-ca-certificates/usr/local/share/ca-certificates//etc/ssl/certs/ca-certificates.crtupdate-ca-certificates这是 alpine docker 镜像的示例。
FROM haproxy:2.9.4-alpine
ADD cacert.crt /usr/local/share/ca-certificates/cacert.crt
USER root
RUN apk update \
&& apk upgrade --available \
&& update-ca-certificates