fix: run update-ca-certificates after apt-get in simplerisk image#142
Merged
WolfangAukang merged 1 commit intoJun 8, 2026
Merged
Conversation
…mage ca-certificates is installed but update-ca-certificates is never called, so /etc/ssl/certs/ca-certificates.crt is absent from the built image. PHP's libcurl is compiled with that path as its default CA bundle, causing all outbound HTTPS cURL calls to fail with: error setting certificate file: /etc/ssl/certs/ca-certificates.crt This affects any feature that makes outbound HTTPS calls from the container. Fix: chain update-ca-certificates at the end of the apt-get RUN layer. Note: simplerisk-minimal is unaffected — it already calls update-ca-certificates as part of its SSL certificate generation step. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
WolfangAukang
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ca-certificatesis installed viaapt-getbutupdate-ca-certificatesis never called during the build, so/etc/ssl/certs/ca-certificates.crtis absent from the resulting imagelibcurlis compiled with that path as its default CA bundle (--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt), so any outbound HTTPS request via PHP's cURL extension fails immediately witherror setting certificate file: /etc/ssl/certs/ca-certificates.crtupdate-ca-certificatesat the end of the existingapt-get installRUN layer insimplerisk/generate_dockerfile.sh, then regeneratesimplerisk/DockerfileNote:
simplerisk-minimalis unaffected — it already callsupdate-ca-certificatesas part of its SSL certificate generation step.Reproduction
On a fresh container from
simplerisk/simplerisk:latest, any PHP cURL HTTPS call fails:The file is absent because
apt-get install ca-certificatesinstalls the package but the post-install hook that generates the bundle (update-ca-certificates) is not triggered during the Docker build.Fix
In
simplerisk/generate_dockerfile.sh, added&& update-ca-certificatesat the end of the apt-get RUN block:rm -rf /var/lib/apt/lists && \ update-ca-certificatesTest plan
/etc/ssl/certs/ca-certificates.crtexists in the built image🤖 Generated with Claude Code