Cannot access remote raster files when querying raster ca-certificates missing

[robe2]

A user reported this issue on postgis issue tracker:
trying to use 14-3.2 image

https://trac.osgeo.org/postgis/ticket/5199

User was trying to do an out-db-raster call to a google cloud raster, and the call failed because ca-certificates weren't installed.

Error was:

ERROR 11: CURL error: server certificate verification failed. CAfile: none CRLfile: none
2022-08-05 11:43:47.299 UTC [243] ERROR:  rt_band_load_offline_data: Cannot open offline raster: /vsigs/<bucket>/pop12.tif
2022-08-05 11:43:47.299 UTC [243] CONTEXT:  SQL function "st_pixelaspolygons" statement 1
        SQL statement "SELECT public.ST_Buffer(public.ST_Collect(t.geom), 0)            FROM public.ST_PixelAsPolygons(rast, nband) AS t"
        PL/pgSQL function _st_intersects(geometry,raster,integer) line 21 at SQL statement
        PL/pgSQL function st_intersection(geometry,raster,integer) line 11 at assignment
        SQL function "st_intersection" statement 1

[phillipross]

Thanks Regina. This makes sense. @ImreSamu I wonder if this might be some type of regression that happened somewhere along the line as the base debian containers were updated?

Whatever the case, we can look to see how much bigger the images become if we add in the certs package and whatever dependencies it might pull in, but I'm betting it's negligible.

[ImreSamu]

@phillipross

I wonder if this might be some type of regression that happened somewhere
along the line as the base debian containers were updated?

as I see ca-certificates is a "recommended package"
and we are using && apt-get install -y --no-install-recommends \

now the: postgresql-$PG_MAJOR-postgis-3 recommended packages : ca-certificates proj-bin poppler-data publicsuffix

Whatever the case, we can look to see how much bigger the images become
if we add in the certs package and whatever dependencies it might pull in,
but I'm betting it's negligible.

agree; negligible ~ +391 kB
apt install ca-certificates -> After this operation, 391 kB of additional disk space will be used.

[robe2]

Thanks all. So I assume this is all set and we can close or has a build not been released yet with this change?

[phillipross]

At the moment the PR is up but still in review. When we get it finalized and merged then we'll swing back and close this issue. But to be clear, this issue explicit covers getting the ca-certificates package into the docker image, but the trac issue may not necessarily be resolved by this fix. The user reporting the issue on trac should retest after we get this PR merged to make sure this is really the fix for the issue 😊