Use latest heroku images to fix Let's Encrypt root certificate expiration

[nicolas-brousse]

👋 I've got an issue by using herokuish with a dokku deployment today.
While deploying a dependency is installed using git clone, but I've got server certificate verification failed. CAfile: none CRLfile: none error.

If I try to git clone a repository with git server that use Let's Encrypt (with ISRG Root X1, not the expired one) on latest gliderlabs/herokuish:latest-20, I've got this error:

% docker run -it --rm gliderlabs/herokuish:latest-20 /bin/bash
root@db314b91148c:/# git clone https://framagit.org/framasoft/nextcloud/nextcloud-theme
Cloning into 'nextcloud-theme'...
fatal: unable to access 'https://framagit.org/framasoft/nextcloud/nextcloud-theme/': server certificate verification failed. CAfile: none CRLfile: none
root@db314b91148c:/# curl -I https://framagit.org/framasoft/nextcloud/nextcloud-theme
HTTP/2 200 
date: Fri, 08 Oct 2021 15:00:54 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
cache-control: max-age=0, private, must-revalidate
etag: W/"6fb099b1b18f84d2dc5159db592f86b5"
link: </assets/application_utilities-fa3148ad24e616bfa530484a9393969c21280799fb9f29f932670d419defeb21.css>; rel=preload; as=style; type=text/css,</assets/application-a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2.css>; rel=preload; as=style; type=text/css,</assets/highlight/themes/white-5c0380ce57a7c89f3f92ec056e54986509621cf4957307f8955be09a66657a1c.css>; rel=preload; as=style; type=text/css
permissions-policy: interest-cohort=()
set-cookie: event_filter=all; path=/; Secure; SameSite=None
set-cookie: _gitlab_session=cb4262f63b98837ffe8a0953e9a51f8c; path=/; expires=Fri, 08 Oct 2021 17:00:54 GMT; secure; HttpOnly; SameSite=None
vary: Accept
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-request-id: 01FHG6QQ88XZP4FVRYVJ3MD5QF
x-runtime: 0.135233
x-ua-compatible: IE=edge
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; includeSubDomains; preload
referrer-policy: strict-origin-when-cross-origin
permissions-policy: interest-cohort=()

But with latest heroku/heroku:20 image, it works:

% docker run -it --rm heroku/heroku:20 /bin/bash
root@8db6fbc76f4d:/# git clone https://framagit.org/framasoft/nextcloud/nextcloud-theme
Cloning into 'nextcloud-theme'...
warning: redirecting to https://framagit.org/framasoft/nextcloud/nextcloud-theme.git/
remote: Enumerating objects: 926, done.
remote: Counting objects: 100% (926/926), done.
remote: Compressing objects: 100% (753/753), done.
remote: Total 926 (delta 231), reused 812 (delta 152), pack-reused 0
Receiving objects: 100% (926/926), 14.03 MiB | 8.62 MiB/s, done.
Resolving deltas: 100% (231/231), done.

It seems building a new version of herokuish based on latest heroku images should fix the issue.

[rNoz]

Yes, please, I am dealing with the same problem.

In case others are stuck, I solved it temporarily in my node doing this:

# remove any gliderlabs/herokuish image
git clone https://github.com/gliderlabs/herokuish
cd herokuish
# edit Dockerfile, setting 20 in the STACK_VERSION
# ARG STACK_VERSION=20
docker build -t gliderlabs/herokuish:latest-20 .
# rebuild the rest of the images/containers.

[josegonzalez]

afaik we do that already by using their build image: https://github.com/gliderlabs/herokuish/blob/master/Dockerfile#L2

What do we need to do to fix this?

[josegonzalez]

Closing as I don't think we have a bug here.