https urls for apkovl= and alpine_repo= broken in 3.15
I'm trying to use the current netboot images. Using an ipxe config like this:
kernel http://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/netboot/vmlinuz-virt modules=loop,squashfs nomodeset apkovl=https://f004.backblazeb2.com/file/sbrudenell-netboot/test.apkovl.tar.gz alpine_repo=https://dl-cdn.alpinelinux.org/alpine/v3.15/main modloop=https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/netboot/modloop-virt
initrd http://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/netboot/initramfs-virt
The initramfs contains mkinitfs v3.6.0:
Alpine Init 3.6.0-r0
After !89 (merged) it seems like the https urls should work, but I get errors:
Connecting to f004.backblazeb2.com (149.137.128.16:443)
ssl_client: f004.backblazeb2.com: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peer
...
* Installing packages to root filesystem: fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
140234374155080:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.15/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.15/main: No such file or directory
The ca bundle is present at /etc/ssl
, but libcrypto is looking in /etc/ssl1.1
:
/ # strace -f wget https://google.com 2>&1 | grep /etc/ssl
[pid 689] open("/etc/ssl1.1/cert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
[pid 689] stat("/etc/ssl1.1/certs/c06d5c68.0", 0x7ffd1fc12c60) = -1 ENOENT (No such file or directory)
[pid 689] stat("/etc/ssl1.1/certs/1001acf7.0", 0x7ffd1fc12c60) = -1 ENOENT (No such file or directory)
[pid 689] stat("/etc/ssl1.1/certs/5ad8a5d6.0", 0x7ffd1fc12c60) = -1 ENOENT (No such file or directory)
[pid 689] stat("/etc/ssl1.1/certs/5ad8a5d6.0", 0x7ffd1fc12c60) = -1 ENOENT (No such file or directory)
It looks like ssl dependencies and files are in flux in recent versions.
In 3.15:
-
ssl_client
depends onlibretls
, which depends onlibcrypto1.1
andca-certificates-bundle
-
ca-certificates-bundle
provides/etc/ssl/certs
-
libcrypto1.1
provides/etc/ssl1.1/certs
which symlinks to/etc/ssl/certs
-
libcrypto1.1
defaults to/etc/ssl1.1
for the ssl dir
In edge:
- Dependencies are actively changing. I saw that
ssl_client
switched from depending onlibretls
tolibcrypto1.1
directly, between the time I diddocker run -it alpine:edge
andapk upgrade
within the container😄 -
libcrypto1.1
doesn't provide/etc/ssl1.1
, but does provide files (not certificates) in/etc/ssl
-
libcrypto3
provides/etc/ssl3
./etc/ssl3/certs
symlinks to/etc/ssl/certs
. No packages depend onlibcrypto3
/openssl3
currently.
So it seems like /etc/ssl
is the "canonical" ssl dir, but a default install uses indirection through /etc/ssl1.1
, only in 3.15.
Seems like it would be consistent to change libcrypto1.1
to load certificates from /etc/ssl
in 3.15 like it does in other branches, but this seems like a dangerous change.
I can imagine two fixes to the init
issue:
- Change the ssl includes in the network feature to wildcards, something like
/etc/ssl*/certs.pem
and/etc/ssl*/certs
- Add
export SSL_CERT_DIR=/etc/ssl/certs; export SSL_CERT_FILE=/etc/ssl/certs.pem
toinit
, as a workaround for 3.15.