From 8e51fafb3ae3bff73f47454867fbd0de6f7ea67d Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Fri, 17 Apr 2026 14:44:46 +0800 Subject: [PATCH] fix(ci): use HTTP for Hetzner apt mirror (base image lacks ca-certificates) Previous commit switched to https://mirror.hetzner.com/... which proved the mirror is reachable and routes correctly (no more 90s timeouts), but exposed a chicken-and-egg: ubuntu:24.04 ships without ca-certificates, and that's exactly the package we're installing. Result: "No system certificates available. Try installing ca-certificates." Fix: use http:// for the Hetzner mirror. Apt's security model verifies package integrity via GPG-signed Release files, not TLS, so HTTP here is no weaker than the upstream defaults (Ubuntu's official sources also default to HTTP for the same reason). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/docker/Dockerfile.ci | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci index 516e4893..43e505e5 100644 --- a/.github/docker/Dockerfile.ci +++ b/.github/docker/Dockerfile.ci @@ -4,15 +4,20 @@ FROM ubuntu:24.04 ENV DEBIAN_FRONTEND=noninteractive -# Switch apt sources to Hetzner's public mirror over HTTPS. +# Switch apt sources to Hetzner's public mirror. # Ubicloud runners (Hetzner FSN1-DC21) hit reliable connection timeouts to # archive.ubuntu.com:80 — observed 90+ second outages on multiple builds. # Hetzner's mirror is publicly accessible from any cloud and route-local for # Ubicloud, so this fixes both reliability and latency. Ubuntu 24.04 uses # the deb822 sources format at /etc/apt/sources.list.d/ubuntu.sources. +# +# Using HTTP (not HTTPS) intentionally: the base ubuntu:24.04 image ships +# without ca-certificates, so HTTPS apt fails with "No system certificates +# available." Apt's security model verifies via GPG-signed Release files, +# not TLS, so HTTP here is no weaker than the upstream defaults. RUN sed -i \ - -e 's|http://archive.ubuntu.com/ubuntu|https://mirror.hetzner.com/ubuntu/packages|g' \ - -e 's|http://security.ubuntu.com/ubuntu|https://mirror.hetzner.com/ubuntu/packages|g' \ + -e 's|http://archive.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \ + -e 's|http://security.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \ /etc/apt/sources.list.d/ubuntu.sources # System deps (retry apt-get update — even Hetzner can blip occasionally)