Cannot build v3 images: expired certificate on deb.nodesource.com

[mbrodala]

Your issue may already be reported!
Please search on the issue tracker before creating one.

Expected Behavior

I should be able to build a container using the PHP v3 images here as base.

Current Behavior

Trying to build an image using the PHP v3 images fails due to nodesource/distributions#1266

Possible Solution

Not 100% clear yet, maybe the ca-certificates package must be updated before running apt-get update.

Steps to Reproduce (for bugs)

1. Create a directory with a minimal Dockerfile:

   FROM thecodingmachine/php:7.2-v3-fpm-node12
   USER root
   RUN apt-get update
   USER docker

2. Run docker build --no-cache . in the directory of the Dockerfile
3. See the error:

$ docker build --no-cache .
Sending build context to Docker daemon  2.048kB
Step 1/4 : FROM thecodingmachine/php:7.2-v3-fpm-node12
 ---> f6c1dd9a8efe
Step 2/4 : USER root
 ---> Running in 55f8240a7ae5
Removing intermediate container 55f8240a7ae5
 ---> 772b0cd6bb31
Step 3/4 : RUN apt-get update
 ---> Running in 62363675feac
Hit:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Ign:2 https://deb.nodesource.com/node_12.x bionic InRelease
Get:3 http://ppa.launchpad.net/ondrej/php/ubuntu bionic InRelease [20.8 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Err:6 https://deb.nodesource.com/node_12.x bionic Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 23.213.161.12 443]
Get:7 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:8 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:9 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages [164 kB]
Err:5 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [638 kB]
Get:11 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [34.4 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [2800 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [26.7 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2208 kB]
Get:15 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [2365 kB]
Get:16 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [606 kB]
Get:17 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1430 kB]
Reading package lists...
E: The repository 'https://deb.nodesource.com/node_12.x bionic Release' no longer has a Release file.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>

This evidently works fine with the v4 images, very likely since the base system is newer and thus has more up-to-date packages:

FROM thecodingmachine/php:7.2-v4-fpm-node12
USER root
RUN apt-get update
USER docker

$ docker build --no-cache .
Sending build context to Docker daemon  2.048kB
Step 1/4 : FROM thecodingmachine/php:7.2-v4-fpm-node12
 ---> 3228821b16e0
Step 2/4 : USER root
 ---> Running in feae6018a927
Removing intermediate container feae6018a927
 ---> 99bba5250890
Step 3/4 : RUN apt-get update
 ---> Running in 75d71f4c6128
Get:1 http://ppa.launchpad.net/ondrej/php/ubuntu focal InRelease [23.9 kB]
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Get:3 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:5 https://deb.nodesource.com/node_12.x focal InRelease
Get:6 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:7 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:8 https://dl.yarnpkg.com/debian stable/main all Packages [10.5 kB]
Get:9 https://dl.yarnpkg.com/debian stable/main amd64 Packages [10.5 kB]
Get:10 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages [158 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [632 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1581 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1082 kB]
Get:14 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [795 kB]
Get:15 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1135 kB]
Get:16 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [581 kB]
Fetched 6354 kB in 2s (3135 kB/s)
Reading package lists...
Removing intermediate container 75d71f4c6128
 ---> 2bacc6ab5969
Step 4/4 : USER docker
 ---> Running in 7a0ff6065495
Removing intermediate container 7a0ff6065495
 ---> 2beb3d956777
Successfully built 2beb3d956777

Context

We always build custom app images using the PHP images as base which has started to fail for many of us due to the expiry of the mentioned Let's Encrypt root certificate.

Your Environment

• Version used: PHP 7.2/7.4, Image v3
• Operating System and version: Debian/Ubuntu/Windows
• Link to your project: none

[mistraloz]

This is a major issue for V3 images but we are no longer maintaining this version. So the best way is upgrade to v4 or make a PR on v3 branch.

[mbrodala]

I totally get that. Internally I also advocate for solving this by upgrading to the v4 images, so it's not a pressing issue for us. Due to this I won't dig further into fixing this for v3.

I mostly wanted to report it as a heads-up in case others stumble upon this. If someone wants to tackle this, he can use this ticket as reference.

[mbrodala]

Now I get the same error with v4:

FROM thecodingmachine/php:7.4-v4-fpm-node12
USER root
RUN apt-get update
USER docker

$ docker image inspect --format '{{.Id}}' thecodingmachine/php:7.4-v4-fpm-node12
sha256:4092d99feaa3a331da5b6d299c3e502c696aa290d5afe4d9f7a5b30226acc94e

Result:

$ docker build --no-cache .
Sending build context to Docker daemon  2.048kB
Step 1/4 : FROM thecodingmachine/php:7.4-v4-fpm-node12
 ---> 4092d99feaa3
Step 2/4 : USER root
 ---> Running in d04580197ed2
Removing intermediate container d04580197ed2
 ---> e72cde5d2bff
Step 3/4 : RUN apt-get update
 ---> Running in 57c95e61d6d8
Get:1 http://ppa.launchpad.net/ondrej/php/ubuntu focal InRelease [23.9 kB]
Get:2 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Get:3 https://deb.nodesource.com/node_12.x focal InRelease [4583 B]
Err:2 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
Get:4 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:6 http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages [193 kB]
Get:7 https://deb.nodesource.com/node_12.x focal/main amd64 Packages [774 B]
Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [27.7 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:10 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [2439 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [1879 kB]
Get:14 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [986 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:18 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1288 kB]
Get:19 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [2003 kB]
Get:20 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [31.2 kB]
Get:21 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [2916 kB]
Get:22 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
Get:23 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Reading package lists...
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
The command '/bin/bash -o pipefail -c apt-get update' returned a non-zero code: 100

(Also fails with Node 14/16/18)

[mbrodala]

See yarnpkg/yarn#7866 (comment)

[mbrodala]

See my solution/workaround for now: yarnpkg/yarn#7866 (comment)