[BUG] Alpine linux 3.21.1 missing Entrust root certificates

[marknsikora]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The current 3.21 build of alpine is missing some root certificates. This causes any kind of https request to one of these services to fail.

eg. home-assistant/core#135233

More info here: https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended

Expected Behavior

No response

Steps To Reproduce

$ podman run --rm -it ghcr.io/linuxserver/homeassistant curl -vvI https://maps.geogratis.gc.ca

Will fail with ssl errors

Environment

- OS: Fedora 42
- How docker service was installed: podman preinstalled

Also seen on synology and debian running docker

CPU architecture

x86-64

Docker creation

podman run --rm -it ghcr.io/linuxserver/homeassistant curl -vvI https://maps.geogratis.gc.ca

Container logs

[migrations] started
[migrations] no migrations found
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    911
User GID:    911
───────────────────────────────────────
Linuxserver.io version: 2025.1.2-ls65
Build-date: 2025-01-09T23:58:30+00:00
───────────────────────────────────────
    
**** New container detected, fixing python package permissions. This may take a while. ****
Setting permissions
[custom-init] No custom files found, skipping...
crond[151]: crond (busybox 1.37.0) started, log level 5
crond[151]: user:root entry:*/15	*	*	*	*	run-parts /etc/periodic/15min
crond[151]: user:root entry:0	*	*	*	*	run-parts /etc/periodic/hourly
crond[151]: user:root entry:0	2	*	*	*	run-parts /etc/periodic/daily
crond[151]: user:root entry:0	3	*	*	6	run-parts /etc/periodic/weekly
crond[151]: user:root entry:0	5	1	*	*	run-parts /etc/periodic/monthly
Unable to find configuration. Creating default one in /config
Connection to localhost (::1) 8123 port [tcp/*] succeeded!
[ls.io-init] done.
16:11:20.596834 [0-0] * Host maps.geogratis.gc.ca:443 was resolved.
16:11:20.596870 [0-0] * IPv6: (none)
16:11:20.596899 [0-0] * IPv4: 192.67.45.111
16:11:20.596933 [0-0] * [HTTPS-CONNECT] added
16:11:20.596968 [0-0] * [HTTPS-CONNECT] connect, init
16:11:20.597014 [0-0] * [HTTPS-CONNECT] connect, check h21
16:11:20.597082 [0-0] *   Trying 192.67.45.111:443...
16:11:20.597161 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
16:11:20.597206 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
16:11:20.626329 [0-0] * [HTTPS-CONNECT] connect, check h21
16:11:20.629786 [0-0] * ALPN: curl offers h2,http/1.1
16:11:20.630091 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
16:11:20.643202 [0-0] *  CAfile: /etc/ssl/cert.pem
16:11:20.643251 [0-0] *  CApath: none
16:11:20.643315 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
16:11:20.643381 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
16:11:20.663917 [0-0] * [HTTPS-CONNECT] connect, check h21
16:11:20.664045 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
16:11:20.664223 [0-0] * TLSv1.2 (IN), TLS handshake, Certificate (11):
16:11:20.664879 [0-0] * TLSv1.2 (OUT), TLS alert, unknown CA (560):
16:11:20.664926 [0-0] * SSL certificate problem: self-signed certificate in certificate chain
16:11:20.664968 [0-0] * [HTTPS-CONNECT] connect, all failed
16:11:20.665012 [0-0] * [HTTPS-CONNECT] connect -> 60, done=0
16:11:20.665071 [0-0] * closing connection #0
16:11:20.665116 [0-0] * [HTTPS-CONNECT] close
16:11:20.665169 [0-0] * [SETUP] close
16:11:20.665364 [0-0] * [SETUP] destroy
16:11:20.665404 [0-0] * [HTTPS-CONNECT] destroy
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
2025-01-10 16:11:21.799 WARNING (Thread-2 (_do_shutdown)) [homeassistant.util.executor] Thread[SyncWorker_8] is still running at shutdown: File "/usr/local/lib/python3.13/threading.py", line 1012, in _bootstrap
    self._bootstrap_inner()
  File "/usr/local/lib/python3.13/threading.py", line 1041, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.13/threading.py", line 992, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python3.13/concurrent/futures/thread.py", line 93, in _worker
    work_item.run()
  File "/usr/local/lib/python3.13/concurrent/futures/thread.py", line 59, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.13/site-packages/aiodiscover/discovery.py", line 93, in _setup_sys_network_data
    from pyroute2.iproute import (  # noqa: F811
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1310, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "/usr/local/lib/python3.13/site-packages/pyroute2/__init__.py", line 78, in <module>
    loaded = entry_point.load()
  File "/usr/local/lib/python3.13/importlib/metadata/__init__.py", line 179, in load
    module = import_module(match.group('module'))
  File "/usr/local/lib/python3.13/importlib/__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "/usr/local/lib/python3.13/site-packages/pyroute2/conntrack.py", line 3, in <module>
    from pyroute2.netlink.nfnetlink.nfctsocket import (
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1022, in exec_module
  File "<frozen importlib._bootstrap_external>", line 1173, in get_code
  File "<frozen importlib._bootstrap_external>", line 1241, in _cache_bytecode
  File "<frozen importlib._bootstrap_external>", line 1266, in set_data
  File "<frozen importlib._bootstrap_external>", line 217, in _write_atomic

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

Yep we're aware of this. Unfortunately need to wait for it to be fixed upstream then our containers will pickup the fix.

[hceuterpe]

https://gitlab.alpinelinux.org/alpine/aports/-/commit/6629b908cd04f098327f13019c5db40ddf4fd078

Looks like it's fixed?

[marknsikora]

That fix isn't in the 3.21 release that the current container is based off of. I verified the fix by manually installing the update in a running container. Like @j0nnymoe said, we need to wait for alpine to release a version that has that fix installed.

[hceuterpe]

Looks like they specifically targeted the ca-certificate package version, with the patch to add the EnTrust CA certs back in:
https://pkgs.alpinelinux.org/package/edge/main/x86/ca-certificates
->20241121-r1
https://gitlab.alpinelinux.org/alpine/aports/-/commit/6629b908cd04f098327f13019c5db40ddf4fd078

Last version I had working was HA 2025.1.0. That version still had: 20241010-r0 , but it's also Alpine Linux 3.21

Couldn't you just update the package_versions.txt to the -r1 one?

[Roxedus]

Couldn't you just update the package_versions.txt to the -r1 one?

No, thats not how it works

[thespad]

package_versions is an output not an input. The ca-certificates package is sourced from the base image, which is what needs updating before another HA build is triggered.

[hceuterpe]

Oh looks like the bot picked up the changes and pulled in Alpine Linux 3.21.2 for the base image just a few minutes ago.
https://github.com/linuxserver/docker-baseimage-alpine/releases/tag/3.21-00c9ddba-ls5

[thespad]

I've trigged a Home Assistant build as its next scheduled check isn't until Monday

[FelixM01]

Hey, is it possible, that this new build is not working correctly?

Here is what i get with the new build:

failed to set capabilities on file 'usr/local/bin/python3.13,bak' : no such file or directory

Image: Linuxserver.io version:- 2025.1.2-ls66 Build-date:- 2025-01-10T20:32:10+00:00

Running on Docker on Raspberry Pi 5

Error since the container is running with the new build.

With Linuxserver.io version:- 2025.1.2-ls65 Build-date:- 2025-01-09T23:58:30+00:00 the container is running fine

[thespad]

Smoke test look fine https://ci-tests.linuxserver.io/linuxserver/homeassistant/2025.1.2-ls66/index.html

[hceuterpe]

It's also working fine yesterday afternoon for me right after @thespad triggered the new build.

[FelixM01]

Thank you for your feedback, I will have a look, maybe the issue is on my side then. Will have a look.