Can't load apkovl from https due to CA certificates file missing upon init
When you specify an apkovl in a kernel bootarg, e.g. apkovl=https://example.com/default.tar.gz
, then initramfs' init script will try to "wget" the contents, but that ultimately fails with
Connecting to example.com (1.2.3.4:443)
ssl_client: example.com: TLS connect failed
wget: error getting response: Connection reset by peer
This error is due to the CA certificates (/etc/ssl/cert.pem
) missing at the time of the "wget", because they only get installed later via ca-certificates-cacert
.
Steps to verify:
- Boot into single user mode (add "single" to kernel boot args)
- Verify that /etc/ssl/cert.pem is missing
- Remove the "single" but add "init=/bin/sh" to drop into shell after init)
- Verify that /etc/ssl/cert.pem is there now (too late)
Workaround: I was able to work-around the issue by providing a cpio archive with this file as an extra initrd argument to iPXE, but the setup is non-trivial (you will need to build your own iPXE binary from source, enable certificates there as well, since you shouldn't rely on an insecure http download for the certificates).
Proposal:
- Detect if apkovl= starts with https:, check if
/etc/ssl/cert.pem
is missing, and if so,apk add ca-certificates-cacert
early (i.e., before the wget). - Make sure at least an empty
/etc/ssl
folder is created in the initramfs image, so we can specify the /etc/ssl/cert.pem directly instead of using the cpio archive (iPXE allows individual files to be added via initrd, but doesn't create the directory for you)