I'm running into a strange problem with certificates that I can't figure out how to debug. When I run wget inside of a docker container on one specific server it cannot verify certificates. The same wget works fine on the server machine itself (outside docker) and it works inside that same docker container on different servers.
Here's the setup for the docker container:
docker run --rm -ti debian:jessie bash
apt-get update
apt-get install wget
wget https://google.com
The response is:
converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com' (UTF-8)
--2016-06-22 14:22:02-- https://google.com/
Resolving google.com (google.com)... 216.58.217.142, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|216.58.217.142|:443... connected.
ERROR: The certificate of 'google.com' is not trusted.
ERROR: The certificate of 'google.com' hasn't got a known issuer.
The certificate's owner does not match hostname 'google.com'
Since this same process works on other servers, it seems like the problem could only be some certificate problem on that server itself. But I must be confused: why should the certificates on the server itself have anything to do with what's happening inside of the docker container?
I would really appreciate any insight into this, in particular any debugging steps I can take to understand the problem better.
It seems that the certificates are out of date inside the jessie image.
try apt-get install ca-certificates
before the wget
Docker uses iptables.
If you have iptable rules set up it's possible to direct EVERY https request to your own running server.
If you are, for example, running jenkins locally and using iptables to redirect 443 to default 8080 port than all your container traffic to port 443 ports will be redirected to that local jenkins server which will be unable to verify your certificate. We ran into this problem when using Jenkins to build our docker images. our jenkins used iptables to get around running jenkins as root.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With