How to fix "SSL certificate problem: self signed certificate in certificate chain" error?

Question

I have a Linux-based Docker container, where if I do:

curl https://google.com

...then I get an error:

curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html

The same happens for any URL - it's not Google that's at fault.

The link referenced above suggests various solutions, none of which seem appropriate apart from perhaps the last one, which suggests updating the certificate store. But there are no instructions on how to do that (or at least, none that make sense to me).

Is that the right thing to do, and if so how?

---

UPDATE: as requested, here's the result of:

openssl s_client -showcerts -connect www.google.com:443

CONNECTED(00000003)
depth=3 DC = com, DC = forestroot, CN = SHA256RootCA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/CN=ssl-decrypt
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIIXIk3p8xOX/kwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLc3NsLWRlY3J5cHQwHhcNMTgxMjE5MDgxNzAwWhcNMTkwMzEzMDgxNzAwWjBo
...
tq0VAGIoj4+YhO6bktTq3alCRoLstJuuxjVdb1wRkH4YRi0I6ZAB1Cw+M8Lg+2eQ
KuEo
-----END CERTIFICATE-----
 1 s:/CN=ssl-decrypt
   i:/DC=com/DC=bgs/CN=SHA256IssueCA
-----BEGIN CERTIFICATE-----
MIIGzDCCBLSgAwIBAgITEQAADvB9T7mSaacwDQABAAAO8DANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDYmdzMRYw
...
1z9f/nkj2XTRyGeACoy0qRd5uXJHp1iGM27l3RFDR9OjrfPV56pOBUYWAlc9Nn+1
Vr3qUZrcCkROrmYisVF4jg==
-----END CERTIFICATE-----
 2 s:/DC=com/DC=MyCompanyServer/CN=SHA256IssueCA
   i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
-----BEGIN CERTIFICATE-----
MIIH4zCCBcugAwIBAgITOQAAAAOa4wv9nnK0uQAAAAAAAzANBgkqhkiG9w0BAQsF
ADBIMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0
...
IomErcbcymIWBmN75PVMsk9EMyqDP394jG8+IOK+lVUVX4pxzhdd7eYbqTAwDE1X
bNWcZZkt/w==
-----END CERTIFICATE-----
 3 s:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
   i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIQULxmYXGJ1aFIlIyCHA4NIzANBgkqhkiG9w0BAQsFADBI
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0cm9v
...
jQBLY0/KIjHywv66GhtVWpexgQcXrLxQP2VHW7eXpsylvwkNU5XNQYzHTB7u+w5C
VunfRLt/7mVWyURcwkOre38tVSByKR4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/CN=ssl-decrypt
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6556 bytes and written 302 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 723D9976F985887CA5F256EE3C2E7B44B9C98A6B440AAF4E19564AE101F78D00
    Session-ID-ctx:
    Master-Key: C3D8759A753C1D269FF9C00854E59B8C10ABC1E94AFE9F0166486A649FE295ACE1AF5E5BEDB0129E557E781BC860D2FA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1548690163
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
read:errno=0

What I gather from this is that there's certificate in this chain belonging to the company I'm working for (which I've renamed MyCompanyServer), and I imagine that's the issue.

Am I right in thinking that I need to install some sort of key for that certificate? This is all greek to me, so apologies for the newbie questions.

Answer 1

Probably you don't have correct CA certificates available in the container, so TLS connections can't be verified.

Try to install ca-certificates package (package may have a different name, it depends on the used distribution).

---

UPDATE:

Your company inspects TLS connections in the corporate network, so original certificates are replaced by your company certificates. You need to add your company CA certificate to root CA certificates.

Linux (Ubuntu, Debian):

• copy company CA certificate to dir /usr/local/share/ca-certificates/
• run sudo update-ca-certificates

If your host OS has already preconfigured CA certs correctly (company CA certs included), then you can just mount them as a volume to the container:

docker run \
  -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
  ...

Typical CA certs locations:

• /etc/ssl/certs/ca-certificates.crt Debian/Ubuntu/Gentoo etc.
• /etc/pki/tls/certs/ca-bundle.crt Fedora/RHEL 6
• /etc/ssl/ca-bundle.pem OpenSUSE
• /etc/pki/tls/cacert.pem OpenELEC
• /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem CentOS/RHEL 7

Answer 2

Okay I just added this statement and it works fine now.

CURLOPT_SSL_VERIFYPEER => 0,