GitLab

Alpine 3.8 has ‘20171114-r3’ version of ‘ca-certificates’ package, which is quite old and looks like it is broken:

mail server mail.amur-cit.ru:587 uses self-signed certificate, which I need to add to the list of trusted ones on Alpine for the connection to succeed.

1. get their certificate via this command:

openssl s_client -starttls smtp -showcerts -connect mail.amur-cit.ru:587

from the output of that command I copy 1st (well, 0th in terms of that command’s output) certificate from the certificate chain.

2. save it into a file on Alpine node as /usr/local/share/ca-certificates/mail.amur-cit.ru.crt

3. run update-ca-certificates

result:

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

On a Debian-based node that was enough to add the certificate to the list of trusted ones, the output there was the following:

Updating certificates in /etc/ssl/certs…
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…
done.

(from redmine: issue id 9935, created on 2019-01-29, closed on 2019-01-29)

• Changesets:
  • Revision e52ca18a by Natanael Copa on 2019-01-29T16:26:25Z:

main/ca-certificates: upgrade to 20190108

fixes #9935

• Revision ef889967 by Natanael Copa on 2019-05-27T12:31:10Z:

main/ca-certificates: upgrade to 20190108

fixes #9935

• Revision acbc0e0a by Natanael Copa on 2019-05-27T12:35:15Z:

main/ca-certificates: upgrade to 20190108

fixes #9935