WSL-Docker: curl: (60) SSL certificate problem: unable to get local issuer certificate

Question

After a PC reconfiguration I am unable to use Docker properly, since some curl commands are rejected due to SSL/TLS issues.

In just one example curl -vfsSL https://apt.releases.hashicorp.com/gpg returns the following error:

*   Trying 52.222.214.125:443...
* TCP_NODELAY set
* Connected to apt.releases.hashicorp.com (52.222.214.125) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

After some digging, I now now know that this issue also occurs within my WSL image, but not on host Windows OS. Hence, I believe this must be an issue that originates with my WSL setup, and not caused by Docker itself (?).

There are quite a few related questions on StackOverflow, but no solutions I found really apply to this case (and it is not an option to disable verification, which is quite frequently a suggested solution):

• Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
• curl: (60) SSL certificate problem: unable to get local issuer certificate
• PayPal IPN: unable to get local issuer certificate

FWIW I work at an enterprise, with IT-issued OS. Obviously that could be a source of error, but they are unable to help me debug this issue. One a colleague's PC, however, it works flawlessly.

Any ideas?

---

PC Setup:

• Windows 10 Enterprise
  • Version: 21H1
  • OS build: 19043.1645
  • Windows Feature Experience Pack: 120.2212.4170.0
• WSL 2 with Ubuntu-20.04
• Docker Desktop 4.7.1 (77678) with WSL 2 based engine

Answer 1

I had a similar problem at my company. The problem was that our firewall replaced the certificate. The certificate of the firewall was untrusted/unknown from within my wsl setup.

I solved the problem by exporting the firewall certificate from the windows certmanager (certmgr.msc).

The certificate was located at "Trusted Root Certification Authorities\Certifiactes"

Export the certificate as a DER coded x.509 and save it under e.g. "D:\eset.cer".

From within your WSL you can add the certificate with:

openssl x509 -inform DER -in /mnt/d/eset.cer -out ./eset.crt
sudo cp eset.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Answer 2

Lukas Benner answer works fine. If you want to find out which certificate is missing and needs to be added, use this.

openssl s_client -connect google.com:443 -CApath /etc/ssl/certs

This will show the certificate chain and you can track down which root certificate to include from your company.