0

I'm trying to set up a Linux-based Docker container to run an Angular web app as described in this question (warning: long!). I've got to the point where I've established that the problem I'm having there stems from the fact that the attempt to install NPM as part of the Docker container setup failed.

When I bash into the container, and run the command that's meant to do this:

wget -O- https://deb.nodesource.com/setup_6.x

... I get an error:

ERROR: The certificate of 'deb.nodesource.com' is not trusted.

ERROR: The certificate of 'deb.nodesource.com' hasn't got a known issuer.

I'd love to be able to sort that issue the right way, but for now I'm just adding --no-check-certificate to the command, which bypasses that issue.

Now I have another error when I pipe that setup script into bash:

Your distribution, identified as "stretch", is not currently supported, please contact NodeSource at https://github.com/nodesource/distributions/issues if you think this is incorrect or would like your distribution to be considered for support

Following the link in that message, I see a bunch of issues, only some of which are related. However, a bit of extra googling brought me to the FAQ, which in turn pointed me at issue #9, which... has lots of people chipping in with different solutions, and references to other issues. :-(

The main suggestion seems to be to use sudo -E as follows:

wget -qO- https://deb.nodesource.com/setup_6.x | sudo -E bash -

... but I don't have sudo. :-(

UPDATE: I think first issue with wget and the second issue have the same root cause. The Node setup script does a curl to some URL to test whether I'm on a supported version, and this is also failing due to HTTPS certificate issues.

If I do this:

curl -L https://deb.nodesource.com/setup

...then I get this error:

SSL certificate problem: self signed certificate in certificate chain

...which I can fix if I add the --insecure flag. But I think I need to fix the certificate issue before the Node setup script will work.

Any ideas how I can do that? (Maybe that should be a different question?).

Community
  • 1
  • 1
Gary McGill
  • 26,400
  • 25
  • 118
  • 202
  • Can you just start your Dockerfile [`FROM node`](https://hub.docker.com/_/node/), which will have node/npm preinstalled for you? – David Maze Jan 28 '19 at 12:25
  • @DavidMaze: I don't know. It's already `FROM` something else, and I don't know if it can be `FROM` two things. This whole Docker/Node/Linux thing is new to me. – Gary McGill Jan 28 '19 at 12:27

1 Answers1

1

You should be able to fix the certificate issue by installing ca-certificates, before running the node setup script. You will probably need gnupg as well to validate the downloaded node version.

Example (with the assumption that you have a debian stretch based image):

RUN apt-get update && \
    apt-get install -y ca-certificates gnupg curl wget --no-install-recommends && \
    rm -rf /var/lib/apt/lists/*
RUN <your node setup>

However you could just use the the command which is used in the official node image. Also I would prefer this over a setup script which is pulled from somewhere during the build of the image (and which may change between builds). Directly executing downloaded scripts isn't security best practice as well.

ENV NODE_VERSION 6.16.0

RUN buildDeps='xz-utils' \
    && ARCH= && dpkgArch="$(dpkg --print-architecture)" \
    && case "${dpkgArch##*-}" in \
      amd64) ARCH='x64';; \
      ppc64el) ARCH='ppc64le';; \
      s390x) ARCH='s390x';; \
      arm64) ARCH='arm64';; \
      armhf) ARCH='armv7l';; \
      i386) ARCH='x86';; \
      *) echo "unsupported architecture"; exit 1 ;; \
    esac \
    && set -ex \
    && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr $buildDeps --no-install-recommends \
    && rm -rf /var/lib/apt/lists/* \
    && for key in \
      94AE36675C464D64BAFA68DD7434390BDBE9B9C5 \
      FD3A5288F042B6850C66B31F09FE44734EB7990E \
      71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 \
      DD8F2338BAE7501E3DD5AC78C273792F7D83545D \
      C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
      B9AE9905FFD7803F25714661B63B535A4C206CA9 \
      77984A986EBC2AA786BC0F66B01FBB92821C587A \
      8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
      4ED778F539E3634C779C87C6D7062848A1AB005C \
      A48C2BEE680E841632CD4E44F07496B3EB3C1762 \
      B9E2F5981AA6E0CD28160D9FF13993A75599653C \
    ; do \
      gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || \
      gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || \
      gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \
    done \
    && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
    && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
    && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
    && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \
    && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
    && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \
    && apt-get purge -y --auto-remove $buildDeps \
    && ln -s /usr/local/bin/node /usr/local/bin/nodejs
Leo
  • 1,702
  • 13
  • 15
  • Thanks. I did already install both `ca-certificates` and `gnupg` (actually, they were *already* installed). I see that the code in the second part of your answer sets up some key servers... but I'm not really clear on why it's doing that. Would I also have to do that when doing it the `wget` way? – Gary McGill Jan 28 '19 at 14:31
  • It shouldn't be necessary if you're downloading and executing the setup script, because that's part of the setup script itself.Setting up the keyservers is necessary to validate the integrity of the downloaded archive. The archive is signed by a developer who built it. You could skip this step and probably be fine, but it would be a security issue, because you are missing a second source of trust in that case. – Leo Jan 28 '19 at 15:32
  • So, I think then that this would fail for the same reason that everything else I've tried fails. Namely that the `curl` commands would complain about the certificates... – Gary McGill Jan 28 '19 at 15:41
  • Could you elaborate more on your base image? – Leo Jan 28 '19 at 16:51
  • This minimal example doesn't throw any errors: `FROM debian:stretch-slim` `RUN apt-get update && apt-get install -y ca-certificates curl wget gnupg --no-install-recommends && rm -rf /var/lib/apt/lists/*` `RUN curl -L https://deb.nodesource.com/setup` – Leo Jan 28 '19 at 16:51
  • 1
    I think the issue is because I'm working in a corporate environment where the firewall is intercepting/replacing the certificates. See my separate question here: https://stackoverflow.com/q/54402673/98422 – Gary McGill Jan 28 '19 at 16:59