Skip to content

fix: add CA certificates to Docker image#1779

Merged
aawsome merged 1 commit into
rustic-rs:mainfrom
alexma233:fix-docker-ca-certificates
Jun 8, 2026
Merged

fix: add CA certificates to Docker image#1779
aawsome merged 1 commit into
rustic-rs:mainfrom
alexma233:fix-docker-ca-certificates

Conversation

@alexma233

@alexma233 alexma233 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

What this changes

Fixes #1777

This PR adds the Alpine CA certificate bundle to the final Docker image.

The runtime image still uses scratch; it now also includes:

/etc/ssl/certs/ca-certificates.crt

Why

The official Docker image is currently based on scratch. When using HTTPS/S3/REST-style backends, reqwest needs system CA certificates for TLS verification.

Without a CA bundle, rustic can panic during HTTP client initialization:

Client::new(): reqwest::Error { kind: Builder, source: General("No CA certificates were loaded from the system") }

This happened with ghcr.io/rustic-rs/rustic:latest / rustic 0.11.3 while backing up to an OpenDAL B2 repository.

Testing

I built and pushed a test image with this change, then used it in my Docker Compose backup setup with an OpenDAL B2 repository.

The backup completed successfully:

[INFO] repository opendal:b2:: password is correct.
[INFO] snapshot 8706869a successfully saved.
backup completed for data artifact=8706869a
step backup succeeded
backup task finished successfully

This confirms that TLS initialization works when the CA bundle is available in the Docker image.

@alexma233

alexma233 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

I tested multiple official image versions. They all use the scratch runtime image and do not contain a CA bundle, but the behavior changed in v0.11.3:

  • v0.11.0 official image without CA bundle: OK
  • v0.11.2 official image without CA bundle: OK
  • v0.11.3 official image without CA bundle: FAIL
  • v0.11.3 with this Dockerfile change: OK

The failing version panics during reqwest client initialization:

Client::new(): reqwest::Error { kind: Builder, source: General("No CA certificates were loaded from the system") }

I do not know which dependency change exposed the issue, but adding the standard CA bundle to the Docker image fixes the image-level problem and makes HTTPS/TLS backends work consistently.

aawsome
aawsome approved these changes Jun 8, 2026
View reviewed changes

@aawsome aawsome left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks a lot @alexma233

@aawsome

aawsome commented Jun 8, 2026

Copy link
Copy Markdown
Member

In 0.11.3 the reqwest crate was updated to version 0.13. With this update, the certificates handling changed. Before we had certificates bundled within the binary, now we use the certificates from the OS.

@aawsome aawsome enabled auto-merge June 8, 2026 11:30
@aawsome aawsome added this pull request to the merge queue Jun 8, 2026
Merged via the queue into rustic-rs:main with commit 225fda9 Jun 8, 2026
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aawsome aawsome aawsome approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Official Docker image lacks CA certificates, causing HTTPS/S3 backends to panic

2 participants

@alexma233 @aawsome