I'm facing issues with using lets encrypt and checking out code in the k8s-helper-linux image.

It fails with the following:

server certificate verification failed. CAfile: none CRLfile: none

Further, I am aware that recently, the DST Root CA X3 has expired (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) and this is confirmed in the root chain:

docker run 1dev/k8s-helper-linux:2.2.12 openssl x509 -text -in /etc/ssl/certs/DST_Root_CA_X3.pem | grep "Not After"
            Not After : Sep 30 14:01:15 2021 GMT

It looks like the expired root cert is still served (after checking with openssl s_client) due to backwards compatibility with older clients (LetsEncrypt)

Looking at ca-certificates in the k8s-helper-linux image, it looks like an older version exists:

docker run 1dev/k8s-helper-linux:2.2.12 dpkg -l | grep ca-cert
ii  ca-certificates           20190110                    all          Common CA certificates

This is likely an issue with the upstream OpenJDK JRE image.

It looks like the only way to get the latest ca-certs is to reinstall it:

docker run 1dev/k8s-helper-linux:2.2.12 apt-get install --reinstall ca-certificates;

After which the git clone inside the docker container works.