skip to Main Content
RUN pecl install mongodb-1.4.2

Resulted in this output:

RUN pecl install mongodb-1.4.2 &&   docker-php-ext-enable mongodb:
No releases available for package "pecl.php.net/mongodb"
install failed

Could this be a cert issue? because if I try to wget i get following:

Connecting to pecl.php.net (104.236.228.160:443)
ssl_client: pecl.php.net: certificate verification failed: certificate has expired

PHP Version
php:7.0

Is there a way to fix this or do I need to just wait for them to update the cert?

2

Answers


  1. Your base image is too old and doesn’t have the appropriate certificate information, and apk update && apk upgrade don’t get you there. I don’t see any way to tell pecl to ignore certs but you could do:

    wget --no-check-certificate https://pecl.php.net/get/mongodb-1.4.2.tgz
    pecl install --offline ./mongodb-1.4.2.tgz
    

    Of course, I’d have recommend not using such old versions and then it won’t be a problem.

    Login or Signup to reply.
  2. I was able to solve this by removing the offending certificate from the docker image. I’m also on a situation where I cannot upgrade the PHP version and I need timezonedb always up-to-date from PECL.
    After removing them PECL works normally.

    Read https://github.com/libressl/portable/issues/692#issuecomment-937800309 lead to https://github.com/openbsd/src/commit/3c95f6f12797ebbdedb8d5f712eb65bd04fe233a

    I then made a grep to see where the cert was on my docker image (php5.6-alpine) and removed it.
    Two files required a patch, and two files were the whole certificate.

    #12 [web base 4/7] RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
    #12 0.445 /etc/ssl/cert.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    #12 0.754 /etc/ssl/certs/2e5ac55d.0:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    #12 0.754 /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    #12 0.754 /etc/ssl/certs/ca-certificates.crt:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    

    Patch /etc/ssl/certs/ca-certificates.crt

    --- /etc/ssl/certs/ca-certificates.crt.ori
    +++ /etc/ssl/certs/ca-certificates.crt
    @@ -956,27 +956,6 @@
     -----END CERTIFICATE-----
     
     -----BEGIN CERTIFICATE-----
    -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
    -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
    -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
    -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
    -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
    -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
    -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
    -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
    -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
    -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
    -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
    -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
    -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
    -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
    -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
    -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    ------END CERTIFICATE-----
    -
    ------BEGIN CERTIFICATE-----
     MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
     MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
     d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
    
    

    Patch /etc/ssl/cert.pem

    --- cert.pem.ori
    +++ cert.pem
    @@ -2182,49 +2182,6 @@
     gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
     -----END CERTIFICATE-----
     
    -### Digital Signature Trust Co.
    -
    -=== /O=Digital Signature Trust Co./CN=DST Root CA X3
    -Certificate:
    -    Data:
    -        Version: 3 (0x2)
    -        Serial Number:
    -            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
    -    Signature Algorithm: sha1WithRSAEncryption
    -        Validity
    -            Not Before: Sep 30 21:12:19 2000 GMT
    -            Not After : Sep 30 14:01:15 2021 GMT
    -        Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
    -        X509v3 extensions:
    -            X509v3 Basic Constraints: critical
    -                CA:TRUE
    -            X509v3 Key Usage: critical
    -                Certificate Sign, CRL Sign
    -            X509v3 Subject Key Identifier: 
    -                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
    -SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
    -SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
    ------BEGIN CERTIFICATE-----
    -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
    -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
    -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
    -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
    -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
    -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
    -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
    -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
    -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
    -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
    -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
    -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
    -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
    -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
    -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
    -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    ------END CERTIFICATE-----
    -
     ### Disig a.s.
     
     === /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
    

    Then remove the other two files which are the whole cert /etc/ssl/certs/2e5ac55d.0 and /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem

    These are the final dockerfile lines, I left the grep line intentionally to debug this if some file is renamed

    COPY docker/ca-certificates.patch /tmp
    COPY docker/cert.pem.patch /tmp
    RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
    RUN apk update && apk upgrade
    RUN patch /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.patch && 
        patch /etc/ssl/cert.pem /tmp/cert.pem.patch && 
        rm /etc/ssl/certs/2e5ac55d.0 && 
        rm /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem
    

    PS: Originally from https://github.com/php/php-src/issues/11486#issuecomment-1626075999 answering here too just in case.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search