From f5b01c1e0eb342f6b34182753a355ca788e3a18a Mon Sep 17 00:00:00 2001
From: ryuhaneul <luj.moonlight@gmail.com>
Date: Mon, 27 Apr 2026 10:39:49 +0000
Subject: [PATCH] fix(docker): install ca-certificates in slim runtime base

Commit 2cd23957c0 ("build: use slim docker runtime") switched the
runtime image from `node:24-bookworm` (full) to `node:24-bookworm-slim`.
The slim base does not ship `ca-certificates`, and the runtime stage's
`apt-get install` line was not updated to add it.

Result on the resulting image:
- `/etc/ssl/certs/` is empty (`ls /etc/ssl/certs/ | wc -l` == 0)
- `dpkg -l ca-certificates` reports `un` (not installed)
- `update-ca-certificates` is missing in `$PATH` (exit 127)
- every HTTPS outbound from the gateway dies at TLS handshake with
  `error setting certificate file: /etc/ssl/certs/ca-certificates.crt`
- channel plugins that use `node fetch` (telegram/discord/slack)
  crash-loop with `Network request for 'deleteWebhook' failed!`
  and pin the gateway main thread at ~100% CPU on retry.

Verified by rebuilding the runtime image with this patch and
confirming inside the container:
- `ls /etc/ssl/certs/ | wc -l` -> 285
- `curl -4 https://api.telegram.org/` -> 302
- `curl -4 https://www.google.com/`   -> 200
- channel plugins (telegram/discord/slack) register cleanly,
  gateway main-thread CPU returns to idle.

Add `ca-certificates` to the apt-install list and call
`update-ca-certificates` to populate the CA bundle.

Signed-off-by: ryuhaneul <luj.moonlight@gmail.com>
---
 Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 747a185ec64..a296b3073a0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -156,6 +156,10 @@ LABEL org.opencontainers.image.source="https://github.com/openclaw/openclaw" \
 WORKDIR /app
 
 # Install runtime system utilities missing from bookworm-slim.
+# `ca-certificates` ships in `bookworm` (full) but not in `bookworm-slim`,
+# so it must be installed explicitly here. Without it `/etc/ssl/certs/`
+# stays empty and every HTTPS outbound dies at TLS handshake with
+# `error setting certificate file`.
 RUN --mount=type=cache,id=openclaw-bookworm-apt-cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,id=openclaw-bookworm-apt-lists,target=/var/lib/apt,sharing=locked \
     apt-get update && \