Menu
I have a Ubuntu 18.04 server behind a coporate proxy.
I set the http_proxy and https_proxy environment variable.
The server is running Docker 19.03 which is also configured to use the http_proxy and https_poxy.
If a run docker run -it ubuntu:18.04, inside the container, I can do an apt updateand apt install curl -y
Then I can do something like curl www.google.com.
But it is not working with https :
root@1b6abfb4ff90:/# curl -v -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 10.30.88.14...
* TCP_NODELAY set
* Connected to xxx (10.30.88.14) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to raw.githubusercontent.com:443
> CONNECT raw.githubusercontent.com:443 HTTP/1.1
> Host: raw.githubusercontent.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connected
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CONNECT phase completed!
* CONNECT phase completed!
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [91 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2741 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Outside of the container, it's working fine. I also tried exactly the same on another server that is not behind a proxy and it's working inside the container.
So I suppose it is a configuration problem of the docker deamon. Or maybe I'm wrong ... What would be the solution ?
321
You need to install SSL certificates into the Ubuntu container. For example, on a running instance, you can do:
apt-get update
apt-get install ca-certificates
Then, all your HTTPs connections can be validated with the local copy of CA Root Certificates.
For production deployments, this command should be in a Dockerfile:
RUN \
apt-get update && \
apt-get install ca-certificates && \
apt-get clean
It's possible that your proxy has an untrusted certificate. You can add it to the bundle, or tell curl not to check proxy's certificate with curl --proxy-insecure.
From https://curl.se/docs/sslcerts.html :
Since version 7.52.0, curl can do HTTPS to the proxy separately from the connection to the server. This TLS connection is handled separately from the server connection so instead of --insecure and --cacert to control the certificate verification, you use --proxy-insecure and --proxy-cacert. With these options, you make sure that the TLS connection and the trust of the proxy can be kept totally separate from the TLS connection to the server.
173
Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem , better way will be add a step in the dockerfile to install the certificate as part of the build step.
Follow the steps to install
sudo update-ca-certificates
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
