Connection to pkgs.tailscale.com fails due to a SSL certificate issue

I am trying to use a Dockerfile based on this guide:

But when I build the Docker image, connection to pkgs.tailscale.com fails with a SSL certificate error:

Step 8/17 : RUN wget https://pkgs.tailscale.com/stable/${TSFILE} &&   tar xzf ${TSFILE} --strip-components=1
 ---> Running in bb3cd0069b47
Connecting to pkgs.tailscale.com (167.172.11.40:443)
ssl_client: pkgs.tailscale.com: certificate verification failed: format error in certificate's notBefore field
wget: error getting response: Connection reset by peer
The command '/bin/sh -c wget https://pkgs.tailscale.com/stable/${TSFILE} &&   tar xzf ${TSFILE} --strip-components=1' returned a non-zero code: 1
pi@raspberrypi:~/projects/tailscale $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 1.1.1.1

I see a connection failure when I use Quad9:

Step 8/17 : RUN wget https://pkgs.tailscale.com/stable/${TSFILE} &&   tar xzf ${TSFILE} --strip-components=1
 ---> Running in 0f4ea7fe9910
wget: bad address 'pkgs.tailscale.com'
The command '/bin/sh -c wget https://pkgs.tailscale.com/stable/${TSFILE} &&   tar xzf ${TSFILE} --strip-components=1' returned a non-zero code: 1
pi@raspberrypi:~/projects/tailscale $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 9.9.9.9

Same with Google DNS:

Step 8/17 : RUN wget https://pkgs.tailscale.com/stable/${TSFILE} &&   tar xzf ${TSFILE} --strip-components=1
 ---> Running in 3a0d777f7ef4
wget: bad address 'pkgs.tailscale.com'
The command '/bin/sh -c wget https://pkgs.tailscale.com/stable/${TSFILE} &&   tar xzf ${TSFILE} --strip-components=1' returned a non-zero code: 1
pi@raspberrypi:~/projects/tailscale $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 8.8.8.8

Is anyone else seeing this issue?

Is it possible there is some MITM device in between you and pkgs.tailscale.com?

You examine the server’s certificate using openssl s_client -showcerts -servername pkgs.tailscale.com -connect pkgs.tailscale.com:443 </dev/null | openssl x509 -noout -dates

My output:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = pkgs.tailscale.com
verify return:1
DONE
notBefore=Aug 17 16:34:24 2021 GMT
notAfter=Nov 15 16:34:22 2021 GMT

I ran that command on my MacOS and I see this output:

depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = pkgs.tailscale.com
verify return:1
poll errornotBefore=Aug 17 16:34:24 2021 GMT
notAfter=Nov 15 16:34:22 2021 GMT

On the Raspberry Pi, I see this:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = pkgs.tailscale.com
verify return:1
DONE
notBefore=Aug 17 16:34:24 2021 GMT
notAfter=Nov 15 16:34:22 2021 GMT

The Raspberry Pi output seems to match what you see at your end, but the one on my MacOS is different.

I am trying to build the Docker image on my Raspberry Pi.

I do have AdGuard running on my MacOS, which I believe installs a user certificate to perform HTTPS filtering. I can try disabling it on my MacOS to see if it has any change on the Raspberry Pi.

I turned off Adguard, even uninstalled it, but as I suspected it has no impact on how my Raspberry Pi works. Adguard was installed only locally, on my MacOS.

@DGentry When you get a chance, could you check if my Raspberry Pi output above looks okay? I am not familiar with reading this data. Thanks for taking a look!

My guess would be something is missing in the environment constructed by the Dockerfile which impacts certificate verification, since the Raspberry Pi sees a notBefore field in the s_client output which looks like it should be fine.

Maybe missing timezone definitions? If using Ubuntu within the Dockerfile that would be:
RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata