Wget SSL fails in build, but succeeds in SSH debugging

I have a strange build issue involving the SSL helper in wget.

I have a step that fails in a build when trying to fetch a vanilla WordPress tarball:

Step 10/44 : RUN cd /root &&     wget https://wordpress.org/wordpress-4.9.7.tar.gz &&     gunzip wordpress-*.tar.gz &&     tar -xf wordpress-*.tar &&     rm wordpress-*.tar
 ---> Running in 25f40a9d8e96
Connecting to wordpress.org (198.143.164.252:443)
ssl_client: wordpress.org: TLS connect failed
wget: error getting response: Connection reset by peer
The command '/bin/sh -c cd /root &&     wget https://wordpress.org/wordpress-4.9.7.tar.gz &&     gunzip wordpress-*.tar.gz &&     tar -xf wordpress-*.tar &&     rm wordpress-*.tar' returned a non-zero code: 1
Exited with code 1

However, if I get an SSH session at the end of a failing build, I can download successfully:

~ # wget https://wordpress.org/wordpress-4.9.7.tar.gz
Connecting to wordpress.org (198.143.164.252:443)
wordpress-4.9.7.tar. 100% |*********************************************************************************************************************************************************************************************|  8537k  0:00:00 ETA

The relevant part of my Dockerfile is thus:

FROM alpine:3.6 AS build

# Required to do Git clone operation
RUN apk --update add git openssh-client

WORKDIR /root

# Install the private SSH key to be able to fetch private, low-value repos
#
# The known hosts can be generated by turning off StrictHostKeyChecking temporarily,
# then cloning the private repo in the container manually, and copying the resulting
# known_hosts to this repository (see https://stackoverflow.com/a/29380672).
COPY config/ssh-keys/bitbucket_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
COPY config/ssh-keys/known_hosts /root/.ssh/known_hosts

RUN mkdir themes
RUN git clone git@bitbucket.org:halferbits/threattocreativity-forked.git themes/threattocreativity && \
    git clone git@bitbucket.org:halferbits/jonblog-theme.git themes/jonblog

# Stock unzip won't work
# Need ca-certificates and openssl to fetch WP
RUN apk add unzip openssl ca-certificates

# This will decompress to /root/wordpress
RUN cd /root && \
    wget https://wordpress.org/wordpress-4.9.7.tar.gz && \
    gunzip wordpress-*.tar.gz && \
    tar -xf wordpress-*.tar && \
    rm wordpress-*.tar

It’s a two-stage build, and this is the start of the first stage, which just downloads stuff the box needs.

Since I am getting an SSL error, I’d have thought it would be a certs problem, but I am fetching the ca-certificates dependency.

This appears to be fixable by upgrading the build stage from Alpine 3.6 to Alpine 3.7. I’ve not modified the run stage, but this does not need to do any build fetching, so seems to be immune from any cert problems at wordpress.org.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.