Does Alpine Linux handle certs differently than Busybox?

Greg picture Greg · Oct 26, 2015 · Viewed 15.7k times · Source

I started with a base image errordeveloper/oracle-jdk. This Dockerfile is shown here for reference:

FROM        progrium/busybox 
MAINTAINER  Ilya Dmitrichenko <[email protected]>

RUN opkg-install curl ca-certificates

ENV JAVA_HOME /usr/jdk1.8.0_31

RUN curl \
  --silent \
  --location \
  --retry 3 \
  --cacert /etc/ssl/certs/GeoTrust_Global_CA.crt \
  --header "Cookie: oraclelicense=accept-securebackup-cookie;" \
  "http://download.oracle.com/otn-pub/java/jdk/8u31-b13/jdk-8u31-linux-x64.tar.gz" \
    | gunzip \
    | tar x -C /usr/ \
    && ln -s $JAVA_HOME /usr/java \
    && rm -rf $JAVA_HOME/src.zip $JAVA_HOME/javafx-src.zip $JAVA_HOME/man

ENV PATH ${PATH}:${JAVA_HOME}/bin

ENTRYPOINT [ "java" ]
CMD [ "-version" ]

I'd like to move this to Alpine Linux, so a made the following changes:

FROM        alpine
MAINTAINER  Ilya Dmitrichenko <[email protected]>

RUN apk --update upgrade && apk add curl ca-certificates && rm -rf /var/cache/apk/*

ENV JAVA_HOME /usr/jdk1.8.0_31

RUN curl \
  --silent \
  --location \
  --retry 3 \
  --cacert /etc/ssl/certs/GeoTrust_Global_CA.crt \
  --header "Cookie: oraclelicense=accept-securebackup-cookie;" \
  "http://download.oracle.com/otn-pub/java/jdk/8u31-b13/jdk-8u31-linux-x64.tar.gz" \
    | gunzip \
    | tar x -C /usr/ \
    && ln -s $JAVA_HOME /usr/java \
    && rm -rf $JAVA_HOME/src.zip $JAVA_HOME/javafx-src.zip $JAVA_HOME/man

ENV PATH ${PATH}:${JAVA_HOME}/bin

ENTRYPOINT [ "java" ]
CMD [ "-version" ]

Mainly I changed the package management tool to pull down curl and ca-certificates.

After confirming the original builds clean on my machine (it does) I tried my version and got this error: (I turned off --silent on the curl to see it)

Step 4 : RUN curl   --location   --retry 3   --cacert /etc/ssl/certs/GeoTrust_Global_CA.crt   --header "Cookie: oraclelicense=accept-securebackup-cookie;"   "http://download.oracle.com/otn-pub/java/jdk/8u31-b13/server-jre-8u31-linux-x64.tar.gz"     | gunzip     | tar x -C /usr/     && ln -s $JAVA_HOME /usr/java     && rm -rf $JAVA_HOME/man
 ---> Running in c91e4939f851
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/GeoTrust_Global_CA.crt
  CApath: none
gunzip: invalid magic
tar: short read
The command '/bin/sh -c curl   --location   --retry 3   --cacert /etc/ssl/certs/GeoTrust_Global_CA.crt   --header "Cookie: oraclelicense=accept-securebackup-cookie;"   "http://download.oracle.com/otn-pub/java/jdk/8u31-b13/server-jre-8u31-linux-x64.tar.gz"     | gunzip     | tar x -C /usr/     && ln -s $JAVA_HOME /usr/java     && rm -rf $JAVA_HOME/man' returned a non-zero code: 1

Does Alpine do something different here? Why might my curl/certs be failing?

Answer

VonC picture VonC · Oct 26, 2015

Just to be sure the CA certificates are created/updated where they are supposed to, try and add (after this answer) update-ca-certificates:

apk add ca-certificates
update-ca-certificates

In your case:

RUN apk --update upgrade && \
    apk add curl ca-certificates && \
    update-ca-certificates && \
    rm -rf /var/cache/apk/*