Renkulab-r base image fails with apt-get update because certificate verification failed

RenkuLab
1

Hi all,

my Docker-image fails to build when I use the renkulab-r base image and try to install/update any ubuntu packages because of an expired certificate of https://deb.nodesource.com/node_10.x focal Release (see error message below).

I tried to fix the issue by freshly installing the ca-certificates with

sudo apt install ca-certificates

, but they seem to be uptodate.

I also checked etc/apt/sources.list and realized that all sources point to “bionic”, while the error message indicates, that updates are tried to fetch from “focal”.
So I think at some point versions do not match.

Here is the complete erroro message from cicd:

Running with gitlab-runner 13.10.0 (54944146)
  on gitlab/gl-runner-0 bb5-KxyM
Preparing the "docker" executor 00:07
Using Docker executor with image docker:stable ...
Pulling docker image docker:stable ...
Using docker image sha256:b0757c55a1fdbb59c378fd34dde3e12bd25f68094dd69546cf5ca00ddbaa7a33 for docker:stable with digest docker@sha256:fd4d028713fd05a1fb896412805daed82c4a0cc84331d8dad00cb596d7ce3e3a ...
Preparing environment 00:03
Running on runner-bb5-kxym-project-13912-concurrent-0 via 187d7cc9b3af...
Getting source from Git repository 00:03
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/gitlab/almut.lue/test-docker/.git/
Checking out 59b61864 as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:11
Using docker image sha256:b0757c55a1fdbb59c378fd34dde3e12bd25f68094dd69546cf5ca00ddbaa7a33 for docker:stable with digest docker@sha256:fd4d028713fd05a1fb896412805daed82c4a0cc84331d8dad00cb596d7ce3e3a ...
$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN http://$CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ CI_COMMIT_SHA_7=$(echo $CI_COMMIT_SHA | cut -c1-7) # collapsed multi-line command
Step 1/11 : ARG RENKU_BASE_IMAGE=renku/renkulab-r:4.0.5-0.10.1
Step 2/11 : FROM ${RENKU_BASE_IMAGE}
 ---> f40224c0ada3
Step 3/11 : USER root
 ---> Running in 4a37345e20c1
Removing intermediate container 4a37345e20c1
 ---> f6a9b7f9ed29
Step 4/11 : RUN apt-get update &&     apt-get install -y --no-install-recommends     apt-utils     vim
 ---> Running in dcd26b48a31e
Ign:1 https://deb.nodesource.com/node_10.x focal InRelease
Err:2 https://deb.nodesource.com/node_10.x focal Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 195.176.255.80 443]
Get:3 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:5 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:7 https://packagecloud.io/github/git-lfs/ubuntu focal InRelease [24.4 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1,275 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:12 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [33.3 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [630 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1,580 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,081 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [6,310 B]
Get:17 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [2,668 B]
Get:18 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [580 kB]
Get:19 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.1 kB]
Get:20 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1,133 kB]
Get:21 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [794 kB]
Get:22 https://packagecloud.io/github/git-lfs/ubuntu focal/main amd64 Packages [2,012 B]
Reading package lists...
E: The repository 'https://deb.nodesource.com/node_10.x focal Release' does not have a Release file.
The command '/bin/sh -c apt-get update &&     apt-get install -y --no-install-recommends     apt-utils     vim' returned a non-zero code: 100
Cleaning up file based variables 00:02
ERROR: Job failed: exit code 100

I use RENKU_BASE_IMAGE=renku/renkulab-r:4.0.5-0.10.1 and could reproduce the error by starting a new project based on the renkulab-r base image and uncomment the lines to apt-get update and install apt-utils and vim (see here).

Best,
Almut

2

Hi Almut,

Would you be able to try this workaround posted here: The certificate for deb.nodesource seems to be expired · Issue #1266 · nodesource/distributions · GitHub? I think the difference to what you posted is apt-get instead of apt (they are slightly different). It’s related to some certificates that expired recently: Let's Encrypt's Root Certificate is expiring!

Let us know!
Gavin

1 Like
3

Hi @Almut,

Thanks for raising this issue.

It’s due to The certificate for deb.nodesource seems to be expired · Issue #1266 · nodesource/distributions · GitHub.

A quick workaround would be:

RUN apt-get update ; apt-get install ca-certificates && \
    apt-get update && \
    ...

See also Dockerfile · master · Tao Sun / test_docker · GitLab

4

Thanks a lot @tao.sun and @gavin-k-lee for the fast answers and the workaround.
It works perfect and solves my problem!