fix: set openssl ca trust store for php 7.2-8.0 images

carlalexander · carlalexander · commit ba6fdc1a76aa · 2026-03-30T11:19:37.000-04:00
diff --git a/runtime/php-72/Dockerfile b/runtime/php-72/Dockerfile
@@ -97,6 +97,7 @@ RUN ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/ymir/bin /tmp/l
     PHP_EXT_DIR=$(${INSTALL_DIR}/bin/php-config --extension-dir) && ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/lib/php/extensions/$(basename ${PHP_EXT_DIR}) /tmp/layer/lib
 RUN find /tmp/layer/ymir/bin -type f -exec strip --strip-all {} + || true && find /tmp/layer/lib -type f -name "*.so*" -exec strip --strip-unneeded {} + || true && find /tmp/layer/lib -type f -name "*.a" -delete && find /tmp/layer/lib -type f -name "*.la" -delete
 COPY shared/php.ini /tmp/layer/ymir/etc/php/php.ini
+COPY shared/99-openssl-ca-legacy.ini /tmp/layer/ymir/etc/php/conf.d/99-openssl-ca-legacy.ini
 COPY shared/php-fpm.conf /tmp/layer/ymir/etc/php-fpm.d/php-fpm.conf
 RUN sed -i '/extension=msgpack.so/d' /tmp/layer/ymir/etc/php/php.ini && \
     sed -i 's/^decorate_workers_output = /;decorate_workers_output = /' /tmp/layer/ymir/etc/php-fpm.d/php-fpm.conf && \
diff --git a/runtime/php-73/Dockerfile b/runtime/php-73/Dockerfile
@@ -97,6 +97,7 @@ RUN ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/ymir/bin /tmp/l
     PHP_EXT_DIR=$(${INSTALL_DIR}/bin/php-config --extension-dir) && ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/lib/php/extensions/$(basename ${PHP_EXT_DIR}) /tmp/layer/lib
 RUN find /tmp/layer/ymir/bin -type f -exec strip --strip-all {} + || true && find /tmp/layer/lib -type f -name "*.so*" -exec strip --strip-unneeded {} + || true && find /tmp/layer/lib -type f -name "*.a" -delete && find /tmp/layer/lib -type f -name "*.la" -delete
 COPY shared/php.ini /tmp/layer/ymir/etc/php/php.ini
+COPY shared/99-openssl-ca-legacy.ini /tmp/layer/ymir/etc/php/conf.d/99-openssl-ca-legacy.ini
 COPY shared/php-fpm.conf /tmp/layer/ymir/etc/php-fpm.d/php-fpm.conf
 RUN sed -i '/extension=msgpack.so/d' /tmp/layer/ymir/etc/php/php.ini
 
diff --git a/runtime/php-74/Dockerfile b/runtime/php-74/Dockerfile
@@ -97,6 +97,7 @@ COPY shared/copy-dependencies.php /tmp/copy-dependencies.php
 RUN ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/ymir/bin /tmp/layer/lib && ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/lib/php/extensions /tmp/layer/lib
 RUN find /tmp/layer/ymir/bin -type f -exec strip --strip-all {} + || true && find /tmp/layer/lib -type f -name "*.so*" -exec strip --strip-unneeded {} + || true && find /tmp/layer/lib -type f -name "*.a" -delete && find /tmp/layer/lib -type f -name "*.la" -delete
 COPY shared/php.ini /tmp/layer/ymir/etc/php/php.ini
+COPY shared/99-openssl-ca-legacy.ini /tmp/layer/ymir/etc/php/conf.d/99-openssl-ca-legacy.ini
 COPY shared/php-fpm.conf /tmp/layer/ymir/etc/php-fpm.d/php-fpm.conf
 
 FROM --platform=${DOCKER_PLATFORM} public.ecr.aws/lambda/provided:al2023-${CPU_ARCHITECTURE}
diff --git a/runtime/php-80/Dockerfile b/runtime/php-80/Dockerfile
@@ -97,6 +97,7 @@ COPY shared/copy-dependencies.php /tmp/copy-dependencies.php
 RUN ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/ymir/bin /tmp/layer/lib && ${INSTALL_DIR}/bin/php /tmp/copy-dependencies.php /tmp/layer/lib/php/extensions /tmp/layer/lib
 RUN find /tmp/layer/ymir/bin -type f -exec strip --strip-all {} + || true && find /tmp/layer/lib -type f -name "*.so*" -exec strip --strip-unneeded {} + || true && find /tmp/layer/lib -type f -name "*.a" -delete && find /tmp/layer/lib -type f -name "*.la" -delete
 COPY shared/php.ini /tmp/layer/ymir/etc/php/php.ini
+COPY shared/99-openssl-ca-legacy.ini /tmp/layer/ymir/etc/php/conf.d/99-openssl-ca-legacy.ini
 COPY shared/php-fpm.conf /tmp/layer/ymir/etc/php-fpm.d/php-fpm.conf
 
 FROM --platform=${DOCKER_PLATFORM} public.ecr.aws/lambda/provided:al2023-${CPU_ARCHITECTURE}
diff --git a/runtime/shared/99-openssl-ca-legacy.ini b/runtime/shared/99-openssl-ca-legacy.ini
@@ -0,0 +1,5 @@
+; Compatibility for legacy PHP 7.2-8.0 runtime images.
+; These builds can default to a custom OpenSSL CA path not present in the
+; final image, which breaks outbound TLS verification (HTTPS/STARTTLS).
+openssl.cafile=/etc/pki/tls/cert.pem
+openssl.capath=/etc/pki/tls/certs
diff --git a/runtime/test-image.sh b/runtime/test-image.sh
@@ -152,7 +152,21 @@ else
     echo "  [OK] No PHP startup warnings"
 fi
 
-# 8. PHP-FPM
+# 8. Generic TLS Crypto Validation
+TLS_OUTPUT=$(docker run --rm --platform "$PLATFORM" --entrypoint /opt/ymir/bin/php "$IMAGE" -r '$content=file_get_contents("https://www.google.com");if(false===$content){echo "tls_fetch_failed\n";exit(2);}echo "tls_fetch_ok\n";' 2>&1)
+TLS_STATUS=$?
+
+if [ "$TLS_STATUS" -eq 0 ] && echo "$TLS_OUTPUT" | grep -q "tls_fetch_ok"; then
+    echo "  [OK] Outbound TLS crypto succeeded"
+else
+    echo "  [FAIL] Outbound TLS crypto failed"
+    echo "--------------------------------------------------------------------------------"
+    echo "$TLS_OUTPUT"
+    echo "--------------------------------------------------------------------------------"
+    FAILED=1
+fi
+
+# 9. PHP-FPM
 FPM_BIN="/opt/ymir/bin/php-fpm"
 FPM_CONF="/opt/ymir/etc/php-fpm.d/php-fpm.conf"
 
