HTTPS in Alpine linux

Posted on March 1, 2017

Alpine Linux is a great Linux system (well, I am liking it more and more). It is minimal, very simple to use and learn, and in my experience, just works in ways that are important to me.

However, the trade-off for minimal is needing to add what you want to use.

An example of this is proper support for HTTPS/SSL with wget (or curl, etc), see here:

ᐅ docker run -it alpine /bin/sh
/ # wget -q https://github.com
wget: can't execute 'ssl_helper': No such file or directory
wget: error getting response: Connection reset by peer

Yes.. you could use wget --no-check-certificate (or --insecure with curl), but we’re more diligent than that.

Fortunately, this is easy to resolve. While many linux systems ship with packages like ca-certificates and openssl, Alpine doesn’t, so you need to add either one of those two.

Using ca-certificates:

ᐅ docker run -it alpine /bin/sh
/ # apk add --update ca-certificates wget
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz
(1/2) Installing ca-certificates (20161130-r0)
(2/2) Installing wget (1.18-r0)
Executing busybox-1.24.2-r12.trigger
Executing ca-certificates-20161130-r0.trigger
OK: 6 MiB in 13 packages

HTTPS should now work just fine:

/ # wget -q https://github.com
/ #

Note that installing ca-certificates (without including wget) won’t work:

ᐅ docker run -it alpine /bin/sh
/ # apk add --update ca-certificates
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz
(1/1) Installing ca-certificates (20161130-r0)
Executing busybox-1.24.2-r12.trigger
Executing ca-certificates-20161130-r0.trigger
OK: 6 MiB in 13 packages
/ #
/ # wget -q https://github.com
wget: can't execute 'ssl_helper': No such file or directory
wget: error getting response: Connection reset by peer

I’m still relatively new to Alpine, and otherwise not sure why (re)installing wget is needed here.

Interestingly, installing openssl will avoid the need to (re)install wget:

ᐅ docker run -it alpine /bin/sh
/ # apk add --update openssl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.4/community/x86_64/APKINDEX.tar.gz
(1/1) Installing openssl (1.0.2k-r0)
Executing busybox-1.24.2-r12.trigger
OK: 5 MiB in 12 packages
/ # wget -q https://github.com
/ #