-
Pl
chevron_right
Debarshi Ray: Toolbx containers hit by CA certificates breakage
news.movim.eu / PlanetGnome • 30 August • 2 minutes
If you are using Toolbx 0.1.2 or newer, then some existing containers have been hit by a bug that breaks certificates from certificate authorities (or CAs) that are used for secure network communication. The bug prevents OpenSSL and other cryptography components from finding any certificates, which means that programs like pacman and DNF that use OpenSSL are unable to download any metadata or packages. For what it’s worth GnuTLS and, possibly, Network Security Services (or NSS) are unaffected.
This is a serious breakage because OpenSSL is widely used, and when it breaks the standard mechanisms for shipping updates, it can be difficult for users to find a way forward. So, without going into too many details, here’s how to diagnose if you are in this situation and how to repair your containers.
Diagnosis
Among the different operating system distributions that we regularly test Toolbx on, so far it seems that Arch Linux and Fedora containers are affected. However, if you suddenly start experiencing network errors related to CA certificates inside your Toolbx containers, then you might be affected too.
Within Arch Linux containers, you will see that files like
/etc/ca-certificates/extracted/ca-bundle.trust.crt
,
/etc/ca-certificates/extracted/edk2-cacerts.bin
,
/etc/ca-certificates/extracted/tls-ca-bundle.pem
, etc. have been emptied out and
/etc/ca-certificates/extracted/java-cacerts.jks
looks suspiciously truncated at 32 bytes.
Within Fedora containers, you will see the same, but the file paths are slightly different. They are
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
,
/etc/pki/ca-trust/extracted/edk2/cacerts.bin
,
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
,
/etc/pki/ca-trust/extracted/java/cacerts
, etc..
Workaround
First, you need to disable something called remote p11-kit inside the containers.
This requires getting rid of
/etc/pkcs11/modules/p11-kit-trust.module
from the containers:
⬢ $ sudo rm /etc/pkcs11/modules/p11-kit-trust.module
… and the
p11-kit-client.so
PKCS #11 module.
On Arch Linux:
⬢ $ sudo rm /usr/lib/pkcs11/p11-kit-client.so
On Fedora 43 onwards, it’s provided by the
p11-kit-client
RPM, and on older releases it’s the
p11-kit-server
RPM:
⬢ $ sudo dnf remove p11-kit-client
Package Arch Version Repository Size
Removing:
p11-kit-client x86_64 0.25.5-9.fc43 ab42c14511ba47b 1.2 MiB
Transaction Summary:
Removing: 1 package
After this operation, 1 MiB will be freed (install 0 B, remove 1 MiB).
Is this ok [y/N]: y
Running transaction
[1/2] Prepare transaction 100% | 66.0 B/s | 1.0 B | 00m00s
[2/2] Removing p11-kit-client-0:0.25.5-9.fc43.x86_64 100% | 16.0 B/s | 5.0 B | 00m00s
>>> Running %triggerpostun scriptlet: systemd-0:257.7-1.fc43.x86_64
>>> Finished %triggerpostun scriptlet: systemd-0:257.7-1.fc43.x86_64
>>> Scriptlet output:
>>> Failed to connect to system scope bus via local transport: No such file or directory
>>>
>>> Running %triggerpostun scriptlet: systemd-0:257.7-1.fc43.x86_64
>>> Finished %triggerpostun scriptlet: systemd-0:257.7-1.fc43.x86_64
>>> Scriptlet output:
>>> Failed to connect to system scope bus via local transport: No such file or directory
>>>
Complete!
Then, you need to restart the container, run
update-ca-trust(8)
, and that’s all:
⬢ $
logout
$ podman stop <CONTAINER>
<CONTAINER>
$ toolbox enter <CONTAINER>
⬢ $ sudo update-ca-trust