From d5652bbc56d7d4b1c7dd9049fbb798cb9e5cf7a3 Mon Sep 17 00:00:00 2001 From: mpjunior92 Date: Tue, 19 May 2026 20:18:01 -0300 Subject: [PATCH 1/2] fix: ship CA bundle in layered image for kms-client TLS The kms-client binary copied into the layered image makes HTTPS calls to userapi-compute*.eigencloud.xyz/v2/attestation, but the layered image only inherits whatever CA store the user's base image happens to ship. Minimal bases (alpine without ca-certificates, scratch, distroless, custom slim images) lack one, causing kms-client to fail the TLS handshake with x509: certificate signed by unknown authority. Attestation upload is silently abandoned (29 retries, then logged as ERROR but non-fatal); the workload still starts but its attestation never reaches the user API and the verify dashboard shows "No attestations available." Parity with the compute-tee and ecloud-platform fixes landing in parallel. Fix: copy alpine 3.20.10's CA bundle to /usr/local/share/eigenx-ca-certs.crt in the layered image, and prefix the kms-client invocation in compute-source-env.sh with SSL_CERT_FILE pointing at that path. The user's /etc/ssl/ is never touched; the env-var override is scoped to the single kms-client process. Alpine pinned to 3.20.10 for reproducibility. --- .../sdk/src/client/common/templates/Dockerfile.layered.tmpl | 5 +++++ .../src/client/common/templates/compute-source-env.sh.tmpl | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/sdk/src/client/common/templates/Dockerfile.layered.tmpl b/packages/sdk/src/client/common/templates/Dockerfile.layered.tmpl index c256f0b1..ef641ea7 100644 --- a/packages/sdk/src/client/common/templates/Dockerfile.layered.tmpl +++ b/packages/sdk/src/client/common/templates/Dockerfile.layered.tmpl @@ -11,6 +11,11 @@ USER root {{/if}} # Copy core TEE components +# CA bundle for kms-client / tls-keygen to validate HTTPS calls to +# eigencloud.xyz endpoints. Bundled at a non-standard path and consumed +# only via SSL_CERT_FILE in compute-source-env.sh, so the user's +# /etc/ssl/ is never touched. +COPY --from=alpine:3.20.10 /etc/ssl/certs/ca-certificates.crt /usr/local/share/eigenx-ca-certs.crt COPY compute-source-env.sh /usr/local/bin/ COPY kms-client /usr/local/bin/ COPY kms-signing-public-key.pem /usr/local/bin/ diff --git a/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl b/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl index 3b7409d6..3057faf3 100644 --- a/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl +++ b/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl @@ -3,7 +3,7 @@ echo "compute-source-env.sh: Running setup script..." # Fetch and source environment variables from KMS echo "Fetching secrets from KMS..." -if /usr/local/bin/kms-client \ +if SSL_CERT_FILE=/usr/local/share/eigenx-ca-certs.crt /usr/local/bin/kms-client \ --kms-server-url "{{kmsServerURL}}" \ --kms-signing-key-file /usr/local/bin/kms-signing-public-key.pem \ --userapi-url "{{userAPIURL}}" \ From 85017963dfdf02ad339061be23ae1d12ea8a39e8 Mon Sep 17 00:00:00 2001 From: mpjunior92 Date: Tue, 19 May 2026 21:00:34 -0300 Subject: [PATCH 2/2] fix: also wrap tls-client/tls-keygen invocation with SSL_CERT_FILE Per code review: the layered Dockerfile comment says the bundle is for both kms-client and tls-client, but only the kms-client invocation got the SSL_CERT_FILE prefix. tls-client/tls-keygen makes ACME calls and HTTPS callbacks to the user API for cert persistence, which would hit the same x509 failure on minimal user base images. Apply the same process-scoped override to that invocation. --- .../sdk/src/client/common/templates/compute-source-env.sh.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl b/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl index 3057faf3..2eee349a 100644 --- a/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl +++ b/packages/sdk/src/client/common/templates/compute-source-env.sh.tmpl @@ -61,7 +61,8 @@ setup_tls() { echo "compute-source-env.sh: Obtaining TLS certificate using $challenge challenge..." # Pass the API URL for certificate persistence - if ! MNEMONIC="$mnemonic" DOMAIN="$domain" API_URL="{{userAPIURL}}" /usr/local/bin/tls-keygen \ + if ! SSL_CERT_FILE=/usr/local/share/eigenx-ca-certs.crt \ + MNEMONIC="$mnemonic" DOMAIN="$domain" API_URL="{{userAPIURL}}" /usr/local/bin/tls-keygen \ -challenge "$challenge" \ $staging_flag; then echo "compute-source-env.sh: ERROR - Failed to obtain TLS certificate"