'Why I get SSL errors while installing packages on Docker(on mac)?
I am running Docker through Docker Desktop on a MacOS, and I am having a lot of trouble installing packages in my container because it is being unable to verify any ssl certificates.
When I run apk update for example, I get this error:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
139797308250952:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.14/main: Permission denied
When I try a bundle install:
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification.
And even a simple curl curl https://google.com.br:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Update
Even though I installed ca-certificates(as @β.εηοιτ.βε said) inside the container I still get the same error SSL certificate problem: unable to get local issuer certificate.
Added to the Dockerfile this line, as mentioned by @β.εηοιτ.βε:
RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl
Solution 1:[1]
It turns out ?.?????.?? answer was fine, but I didnt really have all the information I needed to solve my problem after all..
I had to use a openssl call to track the ca certificates chain, with this command:
openssl s_client -connect google.com:443
which returned me this:
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
verify return:1
depth=0 CN = *.google.com
verify return:1
---
With this it was possible to see it was trying to find this Zscaler certificate and not the google certificate. Which I discovered is an interceptor we use at our company to watch the traffic. With this I was able to find this post which leads to this doc, where it explains how to add the certificate to docker in a mac environment.
So the solution was adding the certificate to the system:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE>
And adding the certificate to docker and installing ca-certificate as said by ?.?????.??:
ADD ./ZscalerRootCertificate.crt /usr/local/share/ca-certificates/
RUN apk add --no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main \
ca-certificates
RUN update-ca-certificates
Solution 2:[2]
It is not a Mac related issue, you are just missing the root certificates in your container.
In order to have them installed, you need to get to an http version of the Alpine package repository, otherwise you will also get the SSL issue fetching this package:
RUN apk add \
--no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
ca-certificates
From there on, you should be able to install package normally again.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Rafael Costa |
| Solution 2 |