Docker: Include ca-certificates package (#679)

Author: Proximyst

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 - Docker: Use tini, [#678](https://github.com/grafana/grafana-image-renderer/pull/678), [Proximyst](https://github.com/Proximyst)
   - This fixes #677, reported by [@mbentley](https://github.com/mbentley). Thanks!
+- Docker: Include ca-certificates package, [#679](https://github.com/grafana/grafana-image-renderer/pull/679), [Proximyst](https://github.com/Proximyst)
+  - This fixes #676, reported by [@roock](https://github.com/roock). Thanks!
 
 ## 4.0.1, 4.0.2, 4.0.3 & 4.0.4 (2025-07-22)
 

Dockerfile

@@ -9,15 +9,18 @@ RUN echo 'cachebuster 2025-07-16' && apt-get update
 
 FROM debian-updated AS debs
 
-RUN apt-cache depends chromium chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash busybox util-linux openssl tini \
+RUN apt-cache depends chromium chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash busybox util-linux openssl tini ca-certificates \
     --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
 RUN mkdir /dpkg && \
     find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 FROM debian:testing-slim AS ca-certs
 
-RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates
-RUN update-ca-certificates --fresh
+RUN apt-get update
+RUN apt-cache depends ca-certificates \
+    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+RUN mkdir /dpkg && \
+    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 FROM node:22-alpine AS build
 
@@ -34,14 +37,15 @@ LABEL maintainer="Grafana team <[email protected]>"
 LABEL org.opencontainers.image.source="https://github.com/grafana/grafana-image-renderer/tree/master/Dockerfile"
 
 COPY --from=debs /dpkg /
-COPY --from=ca-certs /etc/ssl/certs /etc/ssl/certs
+COPY --from=ca-certs /dpkg/usr/share/ca-certificates /usr/share/ca-certificates
 
 USER root
 SHELL ["/bin/busybox", "sh", "-c"]
 RUN /bin/busybox --install
 # Verify that the browser was actually installed.
 RUN /usr/bin/chromium --version
 RUN fc-cache -fr
+RUN update-ca-certificates --fresh
 USER nonroot
 
 ENV CHROME_BIN="/usr/bin/chromium"

devenv/docker/custom-ca/README.md

@@ -0,0 +1,3 @@
+Please note that the root CA here is not a production-ready one.
+It was generated by [mkcert](https://github.com/FiloSottile/mkcert).
+The value is not exactly secret.

devenv/docker/custom-ca/docker-compose.yaml

@@ -0,0 +1,21 @@
+services:
+  grafana:
+    build:
+      context: .
+      dockerfile: grafana.Dockerfile
+    ports:
+      - 3000:3000
+    environment:
+      GF_RENDERING_SERVER_URL: http://renderer:8081/render
+      GF_RENDERING_CALLBACK_URL: https://grafana:3000/
+      GF_LOG_FILTERS: rendering:debug
+      GF_ROOT_URL: https://grafana:3000/
+
+  renderer:
+    build:
+      context: .
+      dockerfile: renderer.Dockerfile
+    ports:
+      - 8081
+    environment:
+      ENABLE_METRICS: 'true'

devenv/docker/custom-ca/grafana.Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:edge AS builder
+
+WORKDIR /src
+RUN apk add --no-cache openssl
+
+COPY ./rootCA.pem ca.pem
+RUN openssl x509 -inform PEM -in ca.pem -out ca.crt
+
+FROM grafana/grafana-enterprise:latest
+
+COPY --from=builder /src/ca.crt /usr/local/share/ca-certificates/ca.crt
+COPY --chown=grafana ./grafana.localhost+1.pem /grafana.localhost.pem
+COPY --chown=grafana ./grafana.localhost+1-key.pem /grafana.localhost-key.pem
+
+USER root
+RUN update-ca-certificates --fresh
+USER grafana
+
+ENV GF_SERVER_PROTOCOL=https
+ENV GF_SERVER_CERT_FILE=/grafana.localhost.pem
+ENV GF_SERVER_CERT_KEY=/grafana.localhost-key.pem

devenv/docker/custom-ca/grafana.localhost+1-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDNX/E0QuKoqWg
+Z1/pdJKmFtNLh5+t7HKQLHjOWSSmmksDoQOSNyfgmRYQupoIm69aKTUF/FOheCkl
+V4/686z6YHn9+nn3B/zeEIrd9Vja4a+Fn1Wvwj+7ZkJ0N4iStIfWFxmvPeBun1N+
+ZD3d81xN3+CkNuXGMVM2D/iPRF9YpoK2hN4ECDMRpm9Wmt+td5D4ilbYfwx2twpO
+8PFIXGxEKcY72rvU5Zh1+6L2JExHEb+0Vy21zN34aWEQ0dxMd2el9NotsAMky02R
+7mHt6lfMS4ALyeRbgj4MY+Hg/fkq9KXyA3ialfVAaHanBTpfdzW008P7vZgHCfQw
+xL6PPSgfAgMBAAECggEATkx0Lk6nMXlhs8AjIXHnrIT1RZNlwg5YOWoNHr90yvqS
+YidAVnKXJShiSF2AkTlZEXH72aXHKboXzumbT85TsK3n4K6KI0Lp82xxNuxFMq5Z
+h+BML05b39/5gcIQnr+YyI/Fdpv8HIL9q3Gruw31FStaYKPAcEmylbm8OkLzd4vG
+T4xeqB0S1vW4M2SA2jigqJH0Wh85yJD97s7ezpSQNdzRq1MIbwyVelnNkH3m09vF
+w+7ee+GjupCKyS3edZn1AVGipmRm1vFHyJ1pVm6mGOszCkMbWJ1vccZNXMIhv/GT
+DZ8fNTG/bSTT5YzRC7yeBhLV+9imrxAHOGjVIFSbKQKBgQDMcAMYT23AuLCMagLu
+RmYZhML4xZhjFvz7TRKwiOm4Sq+JDAEQMnbnjpu2OSy3uBnNsCQ5BzWXzj/Q686r
+wg+yQhbXn/j2krvYcwB9hAm1qwclA3ByMTqrDj0Ff7idJ9SncZXaWJV3XCMEZlJz
+C4UKXbZqMDwowWsZPAitpdVnCwKBgQD0cZ+AnWEWIcGgktrOYpVyLoVwAv3/EP3x
+IYzIeJiCsVpNAEekRXKSVbX+7VWflcAjBjB1aPLXOE9a+Wf3/lH8RmvJHV6SOHGx
+qEWH5dxD5ydQuYD6nbvD92fHA0TFKONo9nV/mPL1b0nAGY++LYy72u2/ZsNFxMLv
+K089ujlfvQKBgQCPFn80DrP0xc/cF38BowhnKAMG99YW1MowYduI7+sV8EA4HczI
+t2l93NSjkBT6acK1smlH+QHLxLHp2oIGuYce7x7pwLASdNVBRAy9zSK2ooQXpfaY
+FljHzOls5d4jMPOoVtnZv1Kt/jEMLUnb994gSUMZw7T3mZkKSniQgZeBzQKBgC2e
+svzm4kKmJCPapHlWDrwTkJW6CTs8KZiCAWs8joH9pXOvdK9kwqAq3N9p3cv9v7EJ
+q6uN3ZxrBuxclZnD3fsuDVmoYIj7fcSBOhDFxljp3/2B0V90ZqGJH9YVdxUwr1hc
+fstEeTty/Jmca6Y7jANXNX2+KP1xXkwSkiRcB+8lAoGBAKv7PVoo0Wfn5/5ceLcS
+WIsDWizCr9uKICTTqpXgClk+YikKrnIPH9c31HNaRW/mScx4V9a9N/Ujw8jtear+
+MtJ6k+m+He+ewdzziRUNPNdBfr9mtGt76+5E0Nnet54BzRLlSHW7exo1XmE+Npi4
+394ZsqefwflOKwa2DOuSHZat
+-----END PRIVATE KEY-----

devenv/docker/custom-ca/grafana.localhost+1.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAo6gAwIBAgIQWjTcQFrcV4r3qRjXpW8ytDANBgkqhkiG9w0BAQsFADBl
+MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExHTAbBgNVBAsMFG1hcmll
+bGxAbWFyaWVsbC1hcmNoMSQwIgYDVQQDDBtta2NlcnQgbWFyaWVsbEBtYXJpZWxs
+LWFyY2gwHhcNMjUwNzIzMTExMzUzWhcNMjcxMDIzMTExMzUzWjBIMScwJQYDVQQK
+Ex5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxHTAbBgNVBAsMFG1hcmll
+bGxAbWFyaWVsbC1hcmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+wzV/xNELiqKloGdf6XSSphbTS4efrexykCx4zlkkpppLA6EDkjcn4JkWELqaCJuv
+Wik1BfxToXgpJVeP+vOs+mB5/fp59wf83hCK3fVY2uGvhZ9Vr8I/u2ZCdDeIkrSH
+1hcZrz3gbp9TfmQ93fNcTd/gpDblxjFTNg/4j0RfWKaCtoTeBAgzEaZvVprfrXeQ
++IpW2H8MdrcKTvDxSFxsRCnGO9q71OWYdfui9iRMRxG/tFcttczd+GlhENHcTHdn
+pfTaLbADJMtNke5h7epXzEuAC8nkW4I+DGPh4P35KvSl8gN4mpX1QGh2pwU6X3c1
+tNPD+72YBwn0MMS+jz0oHwIDAQABo28wbTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAUY9jLFc5QNGlyXVo2ipyXIW6LW0Qw
+JQYDVR0RBB4wHIIRZ3JhZmFuYS5sb2NhbGhvc3SCB2dyYWZhbmEwDQYJKoZIhvcN
+AQELBQADggGBAG5EcJ9hOmkhUr+2P7YADg21AtqIlWWf+sjr7YGa71HjxFfzaCER
+p3F3TJYowOyAdGsNViyHsegVT6dcaV+T2BjGTAwW9tnHOLqvWJK8Y909jhuOPHoa
+CvelhHunYVO2uu7OO3nzhNKpdYUL8ktnc7XBh0+FlEHJMws1qjcr28CcK2eCeUn/
+MPW0fM98Zw6BH9crSVDZ34YUsQ+dlinZIKKS8SPZyp6j8rX0BypQULTobGiahIeo
+8OP31QkCSo5doTLX0jE8btDMOA4N8xx9ktV7jghSrAnf5j0iU/WjFZQj5TQvzj1d
+31/hgl5ZzgkwtjHG3LkAZP3Mnt+LLgmPM1mRYYjYb7ujEdCw0tfvwZEbmohSq6c0
+uH4DuKmzLPqSsHwL9CmmaBSGrervKg+6VQb8y9HT4eVDZa5uC7jvIyYYyRz8LTih
++YVCopqpQ1HGeKSHfWa6svDqC7XkJJF6KsOm2Hg5fspPAxFDimpFvEfhvBSpzTwZ
+hcv63JgkbGfRvg==
+-----END CERTIFICATE-----

devenv/docker/custom-ca/renderer.Dockerfile

@@ -0,0 +1,9 @@
+FROM mariell/test
+
+USER root
+COPY ./rootCA.pem rootCA.pem
+RUN mkdir -p /usr/share/ca-certificates/
+RUN openssl x509 -inform PEM -in rootCA.pem -out /usr/share/ca-certificates/rootCA.crt
+RUN update-ca-certificates --fresh
+
+USER nonroot

devenv/docker/custom-ca/rootCA-key.pem

@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQDTSQ6EKEq/DKiT
+EaVKLJey4TCfwPHKGkU7AJqEcZQUror46D2UbWroteTGsiAImoG3Ze9nI1SGhfUy
+ziHwPPIZdM3eLAfHW9+eZEG7j3sLAbeL1bG/eDNXLCPj//U13WH9jA9tdOlQyRex
+p1m+MIVlYDjR2d9+1XPvrNyGS2Lq2EGSKcCGI3ebZ67yxLQmyIjg8YFbPl8sLUCR
+PEaloz+WvRvSnmP4aI7ZDCXTsU+HU2v/z0L/919uhU00HW/NodTIHznR9In7EsoP
++rgboiCLykRRJ2iaLaE9L4zfdm59P557C6xHUguXvND+H8zeOiGAaWxms/FnsaAx
+Zk7AodCrSkHaBEBdHSbgKVHZoOVrHzZLjHGn5pPMKe0QmfDWO9WB0StMzx3FopXR
+WTwGtITdnM0xBM9Azd/zCUWLP7RWIFAyTpWJMIyMhqcK8pyrF/BVby+UzQGjtZsO
+hm/1a/EMttm84/pwmr6n/76DHvubRPftxWnmbHdvj5Ltc4dUISUCAwEAAQKCAYAv
+AFqFVb1DANrjVJKTjJX2ihfaAf8HuY5bEMhO3EFX1Hg/5NIGGc0llYkeFnP/1fcz
+SC7Yn8hm4JfqRGbSXYxx00UUvnDAjZSSVLU2tzVk/m3JYrFW6bNqGfyl9MOkxunM
+kILCE7bvbLyjnZneMEcMhTo+nJwWR/+xep/YFB8eJRt5G2ajsHIkFQ2bHd0Bn6yr
+da4UESz00+BALst8f3Ne4hS1ZtzQXtogOI6VqCUL8qfc0UuTS4FkQa0qAb5kXTJk
+DiqQBW8yr1N2RnQHfvNxztTK3QxFE6lXIew0Wj+afBje+J3LGbsAFGET1T800s7J
+4S1cvkF/t1ntZ0e0zsQm0xHXZN8llKI51dUPHjzkAIF+uKtbrtSmvqTPEYh2LMqQ
+GIlksRezFe8FrJcPvfpYF+tFezazokdIELoVSTPFC6XTxcW9Dbneiu2+2PCP1aJH
+c/TyJD2fDMInsQhGFGXq3UBNaEOVvi9nxX6irlNMr8uZySpOAhM8yW/zipYS4kEC
+gcEA7eetWU6ulAPtMfmskBHhIOy9PZ9hbnpHEgdZSuyunb+LxtL/dpcrXLHxCyWL
+bMgwliegoocymzBXQBt/HQ1ljLuiaGqZ/D3MQ/hNVjfXw3npCmswyxCP7tLGrxJr
+5all30B94Ywl6OQB6JBcQU2zHHCrEG5TQDn/vweiZgi8vdE/kA3OqebDrotfRxtf
+vLaalivKU98Di8+b+rhpdmeZQQ3Fu/XKDmP76io5zCk5Ati00Gp155stKJUgsAXu
+iRrxAoHBAONbD4y37AMDKmHBKITtI3eJ2JfGWCcnZUmQwy1QvAy9I4ZY753eU6cP
+12TYYfZMzz3ORIq+jh/YVWoCmr+LM04NO5MgVuDrlCl0547+koX+p0KsGE/Cdyry
+wKVxiwU8MDrJZ1FD1t1mjNJ5LRjp+ELluxlByqvn88ImgneHVgaOwWpeQBIq4ZqO
+foB88JqeMbanq7xaJUxyhYFI9ccNQ2MFOjyWcb1wh2QkUX2Tg9rmyY69uUX6wunZ
+MXIdX83hdQKBwGWXc20Zrm9Cpf2bUtdK60o2DjHMZ7zXtpW6UaUvIPn4G+ZRoAmy
+UDALRJWv+LQBYM4eKfh9p1yh7gBQPZ3YZK8OSTIxo4QVl67Gz6+rtRWib6OlVnbA
+odYoZ/PG+BBgoEIPtjGkuWOUSkRXsS2p0nyomEQx+JcKrW2UAwNzY7XjLzOC0ee3
+xYQ5u/wPcniRub27AXGDYG5Jv5/3NAH+B3HCQdgcA6bVh3PdiETorZHLnJsLe0Hm
+AAi+dfD094HQ4QKBwEimeouO4h38Tvi5zobbeC/kno+xU83/KsCdP6ElYVH4xndR
+yA/8UWLbDwsskfEwjjDDzuc/CQ9oA7NCbcyzYIuacuUKunhZDxlIQA5TjuK+gxgt
+Af/KtmXE+IZlh/T+TLMcVKWFNg29jVZcXmrNqQVHf8gMXAUes6fgwmQLnROvXmLt
+BzBG/5xx2D6arg/aaSxi29/uNmj9V2f+tnsK4/OqYfemY2YTpU/8wwWLs+CpStMQ
+ETopbUtomgJLHKgfWQKBwFC1gxBtQoZXPOZQfTwh/swtYl68g62/rritLNwZEfPz
+H+yKLSyQ1GpKGsVRKA6wSdZ0jWeEHrbp9hqHx/zrU180KZutPXT9csOWCWDXA9mr
+YwhUleVeFNmgg3WILrXLA1S5bv4xnCNkVg6et+2TkxkHJLshNdj7/S2nPSg2fpHR
+JxlY+fjpa8Bg0jkyiL/H2GqlPNsXuLpqN55VIuevPHsaeqmECJusooftJTokiPk0
+6gcrR5oywQcM9Rkm0q0Wtg==
+-----END PRIVATE KEY-----

devenv/docker/custom-ca/rootCA.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEmjCCAwKgAwIBAgIRAMRNuMhHFTVyfgiyNlw6KxUwDQYJKoZIhvcNAQELBQAw
+ZTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMR0wGwYDVQQLDBRtYXJp
+ZWxsQG1hcmllbGwtYXJjaDEkMCIGA1UEAwwbbWtjZXJ0IG1hcmllbGxAbWFyaWVs
+bC1hcmNoMB4XDTI1MDcyMzExMDYwNVoXDTM1MDcyMzExMDYwNVowZTEeMBwGA1UE
+ChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMR0wGwYDVQQLDBRtYXJpZWxsQG1hcmll
+bGwtYXJjaDEkMCIGA1UEAwwbbWtjZXJ0IG1hcmllbGxAbWFyaWVsbC1hcmNoMIIB
+ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA00kOhChKvwyokxGlSiyXsuEw
+n8DxyhpFOwCahHGUFK6K+Og9lG1q6LXkxrIgCJqBt2XvZyNUhoX1Ms4h8DzyGXTN
+3iwHx1vfnmRBu497CwG3i9Wxv3gzVywj4//1Nd1h/YwPbXTpUMkXsadZvjCFZWA4
+0dnfftVz76zchkti6thBkinAhiN3m2eu8sS0JsiI4PGBWz5fLC1AkTxGpaM/lr0b
+0p5j+GiO2Qwl07FPh1Nr/89C//dfboVNNB1vzaHUyB850fSJ+xLKD/q4G6Igi8pE
+USdomi2hPS+M33ZufT+eewusR1ILl7zQ/h/M3johgGlsZrPxZ7GgMWZOwKHQq0pB
+2gRAXR0m4ClR2aDlax82S4xxp+aTzCntEJnw1jvVgdErTM8dxaKV0Vk8BrSE3ZzN
+MQTPQM3f8wlFiz+0ViBQMk6ViTCMjIanCvKcqxfwVW8vlM0Bo7WbDoZv9WvxDLbZ
+vOP6cJq+p/++gx77m0T37cVp5mx3b4+S7XOHVCElAgMBAAGjRTBDMA4GA1UdDwEB
+/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRj2MsVzlA0aXJd
+WjaKnJchbotbRDANBgkqhkiG9w0BAQsFAAOCAYEACUCssPQi6vjLy0teBXx/TQPt
+Gvzmt9dNPxKh30yHnmoiOW1tfY8oUKkB+4IQdwGWEZ2JiVijF5yE5M6oCBeOxKmH
+fTrMppwmJx/UkGPrPjYilf92WTpL2iqRSTBcagVZQ8sbdPsexl/vpByHtS3LA5oC
+gFqnZgLI77UiZeEz4qjmRZg5JUiQxXmQ7smdBuQBwwq6guyn45I+w6YUcScM3H3J
+vRyGiH/S8T6MsU34OK6aH09y2aPTOLP+NR2tfSxY/6Ju27XtDzVLV47M5IvDH+IC
+tZq9fk28faeddMZs/PTR3h6gzn/+s78hh91SPa1JoWxHanlX4SMt/Qq853HyS/zf
+IVC8mlu7ZHDgNDZ/cPc2LjO6ryxqaohGjOamWdF1ssXeLOruXLgzV8sStlTWCtPN
+itPWFzeb1hWCvvaxk7xjT0EtdxUy2OWkT2thSzyw9gzHXDZZNoNN8jbC4viOXyif
+o5RW/XTnFnk14xFtnv5EnbufRBfs5fg0kgFzzNaz
+-----END CERTIFICATE-----