[Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Romain Naour]

Since the 30th Sep 2021 the docker image used the gitlab-ci is not able
to download the toolchain archive from https://toolchains.bootlin.com due
to an expired certificate.

wget https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
Connecting to toolchains.bootlin.com (toolchains.bootlin.com)|51.254.149.199|:443... connected.
ERROR: The certificate of ‘toolchains.bootlin.com’ is not trusted.
ERROR: The certificate of ‘toolchains.bootlin.com’ has expired.

Remove expired mozilla/DST_Root_CA_X3.crt [1].

[1] https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
---
Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228
---
 support/docker/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/support/docker/Dockerfile b/support/docker/Dockerfile
index a9bacca3a0..e65f840da8 100644
--- a/support/docker/Dockerfile
+++ b/support/docker/Dockerfile
@@ -47,6 +47,8 @@ RUN apt-get install -y --no-install-recommends \
         unzip \
         wget \
         && \
+    sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf && \
+    update-ca-certificates && \
     apt-get -y autoremove && \
     apt-get -y clean
 
-- 
2.31.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Peter Korsgaard]

>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:

 > Since the 30th Sep 2021 the docker image used the gitlab-ci is not able
 > to download the toolchain archive from https://toolchains.bootlin.com due
 > to an expired certificate.

 > wget https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
 > Connecting to toolchains.bootlin.com (toolchains.bootlin.com)|51.254.149.199|:443... connected.
 > ERROR: The certificate of ‘toolchains.bootlin.com’ is not trusted.
 > ERROR: The certificate of ‘toolchains.bootlin.com’ has expired.

 > Remove expired mozilla/DST_Root_CA_X3.crt [1].

 > [1] https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg

 > Signed-off-by: Romain Naour <romain.naour@gmail.com>
 > Cc: Yann E. MORIN <yann.morin.1998@free.fr>
 > ---
 > Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228

How does this actually work? Who builds that container? Do we not need
a corresponding update of .gitlab-ci.yml then?


 > ---
 >  support/docker/Dockerfile | 2 ++
 >  1 file changed, 2 insertions(+)

 > diff --git a/support/docker/Dockerfile b/support/docker/Dockerfile
 > index a9bacca3a0..e65f840da8 100644
 > --- a/support/docker/Dockerfile
 > +++ b/support/docker/Dockerfile
 > @@ -47,6 +47,8 @@ RUN apt-get install -y --no-install-recommends \
 >          unzip \
 >          wget \
 >          && \
 > +    sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf && \
 > +    update-ca-certificates && \

Alternatively we could just update to the latest stretch release instead
of this snapshot from 2017:

docker run --rm -it debian:9.13
root@42ec5ca75f0a:/# apt-get update && \
  apt-get install -y --no-install-recommends ca-certificates wget

root@42ec5ca75f0a:/# wget https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
--2021-11-18 09:20:03--  https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
Resolving toolchains.bootlin.com (toolchains.bootlin.com)... 51.254.149.199
Connecting to toolchains.bootlin.com (toolchains.bootlin.com)|51.254.149.199|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 127456563 (122M) [application/x-bzip2]
Saving to: 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2'

ing-edge-2020.08-1.t  85%[==================>    ] 103.51M  16.9MB/s    eta 1s     F
aarch64--glibc--blee 100%[======================>] 121.55M  16.6MB/s    in 7.4s

2021-11-18 09:20:10 (16.5 MB/s) - 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2' saved [127456563/127456563]

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Romain Naour]

Hello Peter,

Le 18/11/2021 à 10:22, Peter Korsgaard a écrit :
>>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> 
>  > Since the 30th Sep 2021 the docker image used the gitlab-ci is not able
>  > to download the toolchain archive from https://toolchains.bootlin.com due
>  > to an expired certificate.
> 
>  > wget https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
>  > Connecting to toolchains.bootlin.com (toolchains.bootlin.com)|51.254.149.199|:443... connected.
>  > ERROR: The certificate of ‘toolchains.bootlin.com’ is not trusted.
>  > ERROR: The certificate of ‘toolchains.bootlin.com’ has expired.
> 
>  > Remove expired mozilla/DST_Root_CA_X3.crt [1].
> 
>  > [1] https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg
> 
>  > Signed-off-by: Romain Naour <romain.naour@gmail.com>
>  > Cc: Yann E. MORIN <yann.morin.1998@free.fr>
>  > ---
>  > Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228
> 
> How does this actually work? Who builds that container? Do we not need
> a corresponding update of .gitlab-ci.yml then?

Well, usually it's Arnout or Yann that build and push containers to dockerhub.
On master we recently switched to gitlab registry, so maintainers and developers
of Buildroot gitlab project can update containers.

The .gitlab-ci.yml is changed as soon as the container is rebuild using the
updated Dockerfile (after the commit of Dockerfile change).

> 
> 
>  > ---
>  >  support/docker/Dockerfile | 2 ++
>  >  1 file changed, 2 insertions(+)
> 
>  > diff --git a/support/docker/Dockerfile b/support/docker/Dockerfile
>  > index a9bacca3a0..e65f840da8 100644
>  > --- a/support/docker/Dockerfile
>  > +++ b/support/docker/Dockerfile
>  > @@ -47,6 +47,8 @@ RUN apt-get install -y --no-install-recommends \
>  >          unzip \
>  >          wget \
>  >          && \
>  > +    sed -i '/^mozilla\/DST_Root_CA_X3.crt$/ s/^/!/' /etc/ca-certificates.conf && \
>  > +    update-ca-certificates && \
> 
> Alternatively we could just update to the latest stretch release instead
> of this snapshot from 2017:
> 
> docker run --rm -it debian:9.13
> root@42ec5ca75f0a:/# apt-get update && \
>   apt-get install -y --no-install-recommends ca-certificates wget
> 
> root@42ec5ca75f0a:/# wget https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
> --2021-11-18 09:20:03--  https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/tarballs/aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2
> Resolving toolchains.bootlin.com (toolchains.bootlin.com)... 51.254.149.199
> Connecting to toolchains.bootlin.com (toolchains.bootlin.com)|51.254.149.199|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 127456563 (122M) [application/x-bzip2]
> Saving to: 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2'
> 
> ing-edge-2020.08-1.t  85%[==================>    ] 103.51M  16.9MB/s    eta 1s     F
> aarch64--glibc--blee 100%[======================>] 121.55M  16.6MB/s    in 7.4s
> 
> 2021-11-18 09:20:10 (16.5 MB/s) - 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2' saved [127456563/127456563]
> 
Indeed but we may introduce some (unlikely) regression in the testsuite.

Or add --no-check-certificate to BR2_WGET:

https://gitlab.com/kubu93/buildroot/-/commit/d7828f18149c7fd70c9482aac02dc1a185694442

Best regards,
Romain
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Peter Korsgaard]

>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:

Hi,

 >> > https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg
 >> 
 >> > Signed-off-by: Romain Naour <romain.naour@gmail.com>
 >> > Cc: Yann E. MORIN <yann.morin.1998@free.fr>
 >> > ---
 >> > Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228
 >> 
 >> How does this actually work? Who builds that container? Do we not need
 >> a corresponding update of .gitlab-ci.yml then?

 > Well, usually it's Arnout or Yann that build and push containers to dockerhub.
 > On master we recently switched to gitlab registry, so maintainers and developers
 > of Buildroot gitlab project can update containers.

 > The .gitlab-ci.yml is changed as soon as the container is rebuild using the
 > updated Dockerfile (after the commit of Dockerfile change).

Ok, so all manually.

 >> 2021-11-18 09:20:10 (16.5 MB/s) - 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2' saved [127456563/127456563]
 >> 
 > Indeed but we may introduce some (unlikely) regression in the testsuite.

If there are regressions, then it would be better to handle them as
people might run into the same issues. Debian 9 is old, no matter if we
look at the 2017 snapshot or the last bugfix (2020), so I testing
against that might be the best solution?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Yann E. MORIN]

Peter, Romain, All,

On 2021-11-18 13:22 +0100, Peter Korsgaard spake thusly:
> >>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
>  >> > https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg
>  >> > Signed-off-by: Romain Naour <romain.naour@gmail.com>
>  >> > Cc: Yann E. MORIN <yann.morin.1998@free.fr>
>  >> > ---
>  >> > Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228
>  >> 
>  >> How does this actually work? Who builds that container? Do we not need
>  >> a corresponding update of .gitlab-ci.yml then?
> 
>  > Well, usually it's Arnout or Yann that build and push containers to dockerhub.
>  > On master we recently switched to gitlab registry, so maintainers and developers
>  > of Buildroot gitlab project can update containers.
> 
>  > The .gitlab-ci.yml is changed as soon as the container is rebuild using the
>  > updated Dockerfile (after the commit of Dockerfile change).
> 
> Ok, so all manually.
> 
>  >> 2021-11-18 09:20:10 (16.5 MB/s) - 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2' saved [127456563/127456563]
>  >> 
>  > Indeed but we may introduce some (unlikely) regression in the testsuite.
> 
> If there are regressions, then it would be better to handle them as
> people might run into the same issues. Debian 9 is old, no matter if we
> look at the 2017 snapshot or the last bugfix (2020), so I testing
> against that might be the best solution?

I was not sure Stretch was still maintained (I did not even check), but
now I tested the stretch-20211115 snapshot, and indeed the certificate
issue is no longer.

The risk of regressioni if we update is very low, because Debian really
is stable; after 4 years of maintenance, there is not many things that
move anymore.

So I agree that updating to the latest stretch image is better than
hacking our ways by removing some certificate.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Romain Naour]

Hello Peter, Yann,

Le 20/11/2021 à 09:50, Yann E. MORIN a écrit :
> Peter, Romain, All,
> 
> On 2021-11-18 13:22 +0100, Peter Korsgaard spake thusly:
>>>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
>>  >> > https://stackoverflow.com/questions/69408776/how-to-force-older-debian-to-forget-about-dst-root-ca-x3-expiration-and-use-isrg
>>  >> > Signed-off-by: Romain Naour <romain.naour@gmail.com>
>>  >> > Cc: Yann E. MORIN <yann.morin.1998@free.fr>
>>  >> > ---
>>  >> > Backport this patch for 2021.08.x and 2021.02.x using buildroot/base:20200814.2228
>>  >> 
>>  >> How does this actually work? Who builds that container? Do we not need
>>  >> a corresponding update of .gitlab-ci.yml then?
>>
>>  > Well, usually it's Arnout or Yann that build and push containers to dockerhub.
>>  > On master we recently switched to gitlab registry, so maintainers and developers
>>  > of Buildroot gitlab project can update containers.
>>
>>  > The .gitlab-ci.yml is changed as soon as the container is rebuild using the
>>  > updated Dockerfile (after the commit of Dockerfile change).
>>
>> Ok, so all manually.
>>
>>  >> 2021-11-18 09:20:10 (16.5 MB/s) - 'aarch64--glibc--bleeding-edge-2020.08-1.tar.bz2' saved [127456563/127456563]
>>  >> 
>>  > Indeed but we may introduce some (unlikely) regression in the testsuite.
>>
>> If there are regressions, then it would be better to handle them as
>> people might run into the same issues. Debian 9 is old, no matter if we
>> look at the 2017 snapshot or the last bugfix (2020), so I testing
>> against that might be the best solution?
> 
> I was not sure Stretch was still maintained (I did not even check), but
> now I tested the stretch-20211115 snapshot, and indeed the certificate
> issue is no longer.
> 
> The risk of regressioni if we update is very low, because Debian really
> is stable; after 4 years of maintenance, there is not many things that
> move anymore.
> 
> So I agree that updating to the latest stretch image is better than
> hacking our ways by removing some certificate.

OK, can you update the docker image ?

Best regards,
Romain


> 
> Regards,
> Yann E. MORIN.
> 

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH for-2021.08.x] support/docker: remove expired mozilla/DST_Root_CA_X3.crt

[Yann E. MORIN]

Romain, peter, All,

On 2021-11-20 14:44 +0100, Romain Naour spake thusly:
> Le 20/11/2021 à 09:50, Yann E. MORIN a écrit :
[--SNIP--]
> > So I agree that updating to the latest stretch image is better than
> > hacking our ways by removing some certificate.
> OK, can you update the docker image ?

I will send a patch in a moment, yes.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot