Cannot run update-ca-certificates

[nsklikas]

Even though we add the ca-certificates package, we can't run the update-ca-certificates script. Currently it fails because rm and mktemp are not present in the bare image.

$ docker run ghcr.io/canonical/kratos:1.0.0 exec update-ca-certificates
2023-09-11T14:09:32.773Z [pebble] Started daemon.
2023-09-11T14:09:32.781Z [pebble] POST /v1/exec 7.802789ms 202
2023-09-11T14:09:32.787Z [pebble] GET /v1/tasks/1/websocket/control 5.682901ms 200
2023-09-11T14:09:32.787Z [pebble] GET /v1/tasks/1/websocket/stdio 38.334µs 200
2023-09-11T14:09:32.788Z [pebble] GET /v1/tasks/1/websocket/stderr 27.827µs 200
/usr/sbin/update-ca-certificates: 84: mktemp: not found
/usr/sbin/update-ca-certificates: 75: rm: not found
2023-09-11T14:09:32.806Z [pebble] GET /v1/changes/1/wait 18.323217ms 200

[syncronize-issues-to-jira]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-483.

This message was autogenerated

[bencekov]

I added all the packages to run update-ca-certificates, on this branch: https://github.com/canonical/kratos-rock/blob/IAM-483-Enable-certificates-update/rockcraft.yaml

I got this error message:
sed: can't read /etc/ca-certificates.conf: No such file or directory

I verified that the file isn't there. I guess this file gets created when a package manager triggers a script.

I'm not sure what's the best way to proceed. Seems like other charms that use ca-certificates don't use the bare build for ubuntu.

[nsklikas]

I tried it out a little and I have a couple of comments:

• the reason that this happens is that /etc/ca-certificates.conf is created by a maintainer script in the package. Rockcraft installs the debian packages, but does not run the maintainer scripts.
• The error that you see is a soft error, meaning that the script does not fail. If you place a cert in /usr/local/share/ca-certificates, after you run update-ca-certificates you will see that cert in /etc/ssl/certs.
• The problem is that even though the certificates in /usr/local/share/ca-certificates are taken into account, all of the certs from the mozzila package are ignored because of the missing ca-certificates.conf file.
• This is a rockcraft issue unrelated to our base image.

It is not clear how to move forward:

• we can try to create the conf file manually (should not be too hard) in rockcraft.yaml
• we can move all the certificates from /usr/share/ca-certificates/mozilla/ to /usr/local/share/ca-certificates/
• we can create a chisel for the package that run the script (?)
  TBH all of the above solutions are far from ideal and I would not want to go forward with any of them. Maybe the rockcraft team can help us on this.

[javierdelapuente]

You can try to install the ca-certificates in the overlay-packages (@amandahla suggested me that approach and it worked for me).