Service build fails with not trusted/expired cert from www.postgresql.org

Robert_Young · October 6, 2021, 3:14pm

I'm building ODK Central version 1.5.1 on an AWS EC2 instance using Ansible. It worked fine a couple weeks ago, but I just tried a clean deploy this week and now it's failing when building the service container. Ansible reports that the problem is in the RUN command at line 5 of service.dockerfile:

RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list; \
  wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -; \
  apt-get update; \
  apt-get install -y cron gettext postgresql-client-9.6

I removed --quiet from the wget command and got the following errors when I tried to build just that service with docker-compose build service:

deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main
--2021-10-06 14:26:37--  https://www.postgresql.org/media/keys/ACCC4CF8.asc
Resolving www.postgresql.org (www.postgresql.org)... 72.32.157.230, 87.238.57.232, 217.196.149.50, ...
Connecting to www.postgresql.org (www.postgresql.org)|72.32.157.230|:443... connected.
Warning: apt-key output should not be parsed (stdout is not a terminal)
ERROR: The certificate of 'www.postgresql.org' is not trusted.
ERROR: The certificate of 'www.postgresql.org' has expired.
gpg: no valid OpenPGP data found.

W: GPG error: http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FCC7D46ACCC4CF8
W: The repository 'http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease' is not signed.

Is anyone else experiencing this?
Is the cert from www.postgresql.org really expired or is there a network issue or something else on my side causing this problem?

ktuite · October 6, 2021, 11:39pm

Can you clarify which version of Central? We just released 1.3.1 but haven't gotten to 1.5.1 yet

That said, we also ran into this postgres cert issue when trying a fresh install of Central 1.2 a few days ago. Please try the latest version of Central, which uses a different node docker image.

Robert_Young · October 7, 2021, 3:19pm

Oops, sorry about that bad version number, I was looking at the version of the getodk/pyxform-http image. I downloaded zip files early last month, so it must be a version of 1.2. Is there a way to get the version number from the code?

Is this caused by a bad cert from www.postgresql.org?
So in 1.3 you pull posgresql differently so this isn't an issue?

yanokwa · October 7, 2021, 6:10pm

This is not caused by a bad cert from postgresql.org. Rather the ISRG Root X1 cert in the Node container Central v1.2 uses has expired and so the container cannot securely connect to postgresql.org. Upgrading to Central v1.3 is the easiest and safest solution because the Node container we use in v1.3 has root certs that are not expired.

Robert_Young · October 7, 2021, 6:16pm

Ah, thanks for the explanation! I'll look into moving us to 1.3 as suggested.

Robert_Young · October 14, 2021, 8:29pm

Actually, I'm getting errors importing our database with v1.3. It worked with v1.2. Is there a working version of v1.2 that I can try? I tried the latest v1.2 releases from GitHub, but they have the same build error mentioned above.