Package: ca-certificates
Version: 20190110
This is a little fringe and likely crosses projects, as it seems to be specific
to QEMU emulating 32bit ARM, and may involve the “openssl rehash” function from
openssl. But it did appear as a result of the 20190110 ca-certificates update,
and affects anything (like CURL) that depend on the CA cert hashes created by
via update-ca-certificates, so I’ll start by posting here.
Basically changes in ca-certificates 20190110 seem to have broken our 32 bit
ARM Buster Docker image builds (which are done with QEMU). Essentially,
installing ca-certificates in the image (which triggers
update-ca-certificates), fails to create the hashes used by programs like CURL,
resulting in failure of any subsequent CURL calls. Running the previously used
c_rehash command (manually) however, does create the hashes.
For example the following fails running under Docker for Mac/Windows (which has
QEMU baked in) or Docker Linux x86 with QEMU added, but is successful when run
on 32bit ARM Docker Linux directly:
docker run -it --rm arm32v7/debian:buster \
/bin/bash -c \
'export DEBIAN_FRONTEND=noninteractive && \
apt-get update && apt-get install -y ca-certificates curl && \
curl -sSL https://www.google.com'
QEMU Docker hosts fail with:
….
Setting up ca-certificates (20190110) ...
Updating certificates in /etc/ssl/certs...
qemu: Unsupported syscall: 382
128 added, 0 removed; done.
Setting up libkrb5support0:armhf (1.17-1) ...
Setting up libk5crypto3:armhf (1.17-1) ...
Setting up libkrb5-3:armhf (1.17-1) ...
Setting up libgssapi-krb5-2:armhf (1.17-1) ...
Setting up libcurl4:armhf (7.64.0-1) ...
Setting up curl (7.64.0-1) ...
Processing triggers for libc-bin (2.28-5) ...
Processing triggers for ca-certificates (20190110) ...
Updating certificates in /etc/ssl/certs...
qemu: Unsupported syscall: 382
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
However, adding the previously used c_rehash function does create the hashes
and is successful for QEMU Docker hosts:
docker run -it --rm arm32v7/debian:buster \
/bin/bash -c \
'export DEBIAN_FRONTEN=noninteractive && \
apt-get update && apt-get install -y ca-certificates curl && \
c_rehash && \
curl -sSL https://www.google.com'
We’re using that work-around for 32-bit ARM image builds currently, but just a
heads up that something seems to have changed that affects the hash creation
under QEMU for ARM 32-bit. It was working prior to the 20190110 update.
-James
