#1  Letsencrypt root not supported in 1dev/k8s-helper-linux:2.2.12
Shamil opened 1 month ago

I'm facing issues with using lets encrypt and checking out code in the k8s-helper-linux image.

It fails with the following:

server certificate verification failed. CAfile: none CRLfile: none

Further, I am aware that recently, the DST Root CA X3 has expired (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/) and this is confirmed in the root chain:

docker run 1dev/k8s-helper-linux:2.2.12 openssl x509 -text -in /etc/ssl/certs/DST_Root_CA_X3.pem | grep "Not After"
            Not After : Sep 30 14:01:15 2021 GMT

It looks like the expired root cert is still served (after checking with openssl s_client) due to backwards compatibility with older clients (LetsEncrypt)

Looking at ca-certificates in the k8s-helper-linux image, it looks like an older version exists:

docker run 1dev/k8s-helper-linux:2.2.12 dpkg -l | grep ca-cert
ii  ca-certificates           20190110                    all          Common CA certificates

This is likely an issue with the upstream OpenJDK JRE image.

It looks like the only way to get the latest ca-certs is to reinstall it:

docker run 1dev/k8s-helper-linux:2.2.12 apt-get install --reinstall ca-certificates;

After which the git clone inside the docker container works.

Robin Shen commented 1 month ago

Thanks for reporting. I tried reinstall certificates, but still can not clone. However use latest jdk8 image works. Will update the base image in next minor version.

Referenced from other issue 1 month ago
Shamil commented 1 month ago

Thanks @robin - is there a way to force OneDev to use the new released helper version?

Robin Shen commented 1 month ago

There is not possible. Will release a new version to fix this soon.

Robin Shen changed state to 'Closed' 1 month ago
Previous Value Current Value
issue 1 of 1
Seen Builds
Issue Votes (0)
Watchers (2)
issue onedev/k8s-helper#1
Please wait...
Page is in error, reload to recover