I have a Linux-based Docker container, where if I do:
curl https://google.com
...then I get an error:
curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html
The same happens for any URL - it's not Google that's at fault.
The link referenced above suggests various solutions, none of which seem appropriate apart from perhaps the last one, which suggests updating the certificate store. But there are no instructions on how to do that (or at least, none that make sense to me).
Is that the right thing to do, and if so how?
UPDATE: as requested, here's the result of:
openssl s_client -showcerts -connect www.google.com:443
CONNECTED(00000003)
depth=3 DC = com, DC = forestroot, CN = SHA256RootCA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/CN=ssl-decrypt
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIIXIk3p8xOX/kwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLc3NsLWRlY3J5cHQwHhcNMTgxMjE5MDgxNzAwWhcNMTkwMzEzMDgxNzAwWjBo
...
tq0VAGIoj4+YhO6bktTq3alCRoLstJuuxjVdb1wRkH4YRi0I6ZAB1Cw+M8Lg+2eQ
KuEo
-----END CERTIFICATE-----
1 s:/CN=ssl-decrypt
i:/DC=com/DC=bgs/CN=SHA256IssueCA
-----BEGIN CERTIFICATE-----
MIIGzDCCBLSgAwIBAgITEQAADvB9T7mSaacwDQABAAAO8DANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDYmdzMRYw
...
1z9f/nkj2XTRyGeACoy0qRd5uXJHp1iGM27l3RFDR9OjrfPV56pOBUYWAlc9Nn+1
Vr3qUZrcCkROrmYisVF4jg==
-----END CERTIFICATE-----
2 s:/DC=com/DC=MyCompanyServer/CN=SHA256IssueCA
i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
-----BEGIN CERTIFICATE-----
MIIH4zCCBcugAwIBAgITOQAAAAOa4wv9nnK0uQAAAAAAAzANBgkqhkiG9w0BAQsF
ADBIMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0
...
IomErcbcymIWBmN75PVMsk9EMyqDP394jG8+IOK+lVUVX4pxzhdd7eYbqTAwDE1X
bNWcZZkt/w==
-----END CERTIFICATE-----
3 s:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIQULxmYXGJ1aFIlIyCHA4NIzANBgkqhkiG9w0BAQsFADBI
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0cm9v
...
jQBLY0/KIjHywv66GhtVWpexgQcXrLxQP2VHW7eXpsylvwkNU5XNQYzHTB7u+w5C
VunfRLt/7mVWyURcwkOre38tVSByKR4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/CN=ssl-decrypt
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6556 bytes and written 302 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 723D9976F985887CA5F256EE3C2E7B44B9C98A6B440AAF4E19564AE101F78D00
Session-ID-ctx:
Master-Key: C3D8759A753C1D269FF9C00854E59B8C10ABC1E94AFE9F0166486A649FE295ACE1AF5E5BEDB0129E557E781BC860D2FA
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1548690163
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: yes
---
read:errno=0
What I gather from this is that there's certificate in this chain belonging to the company I'm working for (which I've renamed MyCompanyServer), and I imagine that's the issue.
Am I right in thinking that I need to install some sort of key for that certificate? This is all greek to me, so apologies for the newbie questions.
To suppress warnings from a self-signed certificate, the domain component of the ArcGIS Server URL must match the Common Name property of the certificate. To learn how to set this property, see Enabling SSL on ArcGIS Server.
Probably you don't have correct CA certificates available in the container, so TLS connections can't be verified.
Try to install ca-certificates
package (package may have a different name, it depends on the used distribution).
UPDATE:
Your company inspects TLS connections in the corporate network, so original certificates are replaced by your company certificates. You need to add your company CA certificate to root CA certificates.
Linux (Ubuntu, Debian):
/usr/local/share/ca-certificates/
sudo update-ca-certificates
If your host OS has already preconfigured CA certs correctly (company CA certs included), then you can just mount them as a volume to the container:
docker run \
-v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
...
Typical CA certs locations:
/etc/ssl/certs/ca-certificates.crt
Debian/Ubuntu/Gentoo etc./etc/pki/tls/certs/ca-bundle.crt
Fedora/RHEL 6/etc/ssl/ca-bundle.pem
OpenSUSE/etc/pki/tls/cacert.pem
OpenELEC/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
CentOS/RHEL 7Okay I just added this statement and it works fine now.
CURLOPT_SSL_VERIFYPEER => 0,
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With