Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

curl certificate fail in docker container

I have a Ubuntu 18.04 server behind a coporate proxy.

I set the http_proxy and https_proxy environment variable.

The server is running Docker 19.03 which is also configured to use the http_proxy and https_poxy.

If a run docker run -it ubuntu:18.04, inside the container, I can do an apt updateand apt install curl -y

Then I can do something like curl www.google.com.

But it is not working with https :

root@1b6abfb4ff90:/# curl -v -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     
0*   Trying 10.30.88.14...
* TCP_NODELAY set
* Connected to xxx (10.30.88.14) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to raw.githubusercontent.com:443
> CONNECT raw.githubusercontent.com:443 HTTP/1.1
> Host: raw.githubusercontent.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connected
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CONNECT phase completed!
* CONNECT phase completed!
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [91 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2741 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Outside of the container, it's working fine. I also tried exactly the same on another server that is not behind a proxy and it's working inside the container.

So I suppose it is a configuration problem of the docker deamon. Or maybe I'm wrong ... What would be the solution ?

like image 321
tweetysat Avatar asked Oct 11 '19 09:10

tweetysat


2 Answers

You need to install SSL certificates into the Ubuntu container. For example, on a running instance, you can do:

apt-get update
apt-get install ca-certificates

Then, all your HTTPs connections can be validated with the local copy of CA Root Certificates.

For production deployments, this command should be in a Dockerfile:

RUN \
  apt-get update && \
  apt-get install ca-certificates && \
  apt-get clean

Edit

It's possible that your proxy has an untrusted certificate. You can add it to the bundle, or tell curl not to check proxy's certificate with curl --proxy-insecure.

From https://curl.se/docs/sslcerts.html :

Since version 7.52.0, curl can do HTTPS to the proxy separately from the connection to the server. This TLS connection is handled separately from the server connection so instead of --insecure and --cacert to control the certificate verification, you use --proxy-insecure and --proxy-cacert. With these options, you make sure that the TLS connection and the trust of the proxy can be kept totally separate from the TLS connection to the server.

like image 173
emi Avatar answered Oct 12 '22 20:10

emi


Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem , better way will be add a step in the dockerfile to install the certificate as part of the build step.

Follow the steps to install

  1. Download the file from https://curl.haxx.se/ca/cacert.pem
  2. Rename the file as cacert.crt
  3. Copy the file to Go to /usr/local/share/ca-certificates/
  4. Run the command sudo update-ca-certificates
like image 34
Soumen Mukherjee Avatar answered Oct 12 '22 21:10

Soumen Mukherjee