Why I get SSL errors while installing packages on Docker(on mac)?

Asked 8/4, 2022 at 14:3 Answered 17/3, 2023 at 0:2

Solved docker macos ssl alpine-linux docker-desktop

I am running Docker through Docker Desktop on a MacOS, and I am having a lot of trouble installing packages in my container because it is being unable to verify any ssl certificates.

When I run apk update for example, I get this error:

fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
139797308250952:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.14/main: Permission denied

When I try a bundle install:

Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification.

And even a simple curl curl https://google.com.br:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Update

Even though I installed ca-certificates(as @β.εηοιτ.βε said) inside the container I still get the same error SSL certificate problem: unable to get local issuer certificate.

Added to the Dockerfile this line, as mentioned by @β.εηοιτ.βε:

RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl

Carlottacarlovingian answered 8/4, 2022 at 14:3 Comment(6)

To clarify, are these errors during the docker image build or are you running the commands from a shell within an existing container? – Springy 9/5, 2022 at 17:18

Good question @Springy these errors occur during either of these situations, both in build or inside the shell it gives me the same error. – Carlottacarlovingian 9/5, 2022 at 18:49

Thank you for the info, @Rafael Costa! From my experience, working with a Docker image base that is more than 5 years old can cause the curl: (60) error (e.g. curling a recently (sometime in 2022) updated tarball as part of a build based on Ubuntu 16.04). Would you mind editing your post to include the Dockerfile or at least the portion leading up to when this error arises, so that folks know the age of the ca-certificates? – Springy 9/5, 2022 at 19:1

Okay @pcamach2, I did as β.εηοιτ.βε specified in his answer, and the image I am using to debug it is a node:16-alpine, the only things I install in the build is the ca-certificates and curl. – Carlottacarlovingian 9/5, 2022 at 21:10

How did you install ca cert inside the container? – Stipulation 28/9, 2022 at 14:47

I just added to the container and then installed inside of it. In my case it was the Zscaler so, I added the zscaler.crt to my project, then in the dockerfile I added the file to the local share like in the answer: ADD ./ZscalerRootCertificate.crt /usr/local/share/ca-certificates/ but in some cases you may need some additional config like for npm/yarn you might need to add the certificate to the npm config, so you will have to run something like this inside the container: npm config set cafile <Path to Certificate>/ca-bundle.pem – Carlottacarlovingian 28/9, 2022 at 15:15

It turns out β.εηοιτ.βε answer was fine, but I didnt really have all the information I needed to solve my problem after all..

I had to use a openssl call to track the ca certificates chain, with this command:

openssl s_client -connect google.com:443

which returned me this:

CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
verify return:1
depth=0 CN = *.google.com
verify return:1
---

With this it was possible to see it was trying to find this Zscaler certificate and not the google certificate. Which I discovered is an interceptor we use at our company to watch the traffic. With this I was able to find this post which leads to this doc, where it explains how to add the certificate to docker in a mac environment.

So the solution was adding the certificate to the system:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE>

And adding the certificate to docker and installing ca-certificate as said by β.εηοιτ.βε:

ADD ./ZscalerRootCertificate.crt /usr/local/share/ca-certificates/
RUN apk add --no-cache \
    --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main \
    ca-certificates
RUN update-ca-certificates

Carlottacarlovingian answered 13/5, 2022 at 12:2 Comment(2)

How to add above Zscaler cert in cluster? – Stipulation 28/9, 2022 at 14:49

In my case I added to the Dockerfile – Carlottacarlovingian 28/9, 2022 at 15:17

It is not a Mac related issue, you are just missing the root certificates in your container.

In order to have them installed, you need to get to an http version of the Alpine package repository, otherwise you will also get the SSL issue fetching this package:

RUN apk add \
      --no-cache \
      --repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
      ca-certificates

From there on, you should be able to install package normally again.

Cytolysin answered 8/4, 2022 at 17:40 Comment(2)

Hi @β.εηοιτ.βε, thanks for the response, your answer makes a lot of sense and I followed it but even after installing the ca-certificates package I still get the error. The log:

sh /home/app # apk add ca-certificates fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz OK: 559 MiB in 92 packages /home/app # curl https://google.com curl: (60) SSL certificate problem: unable to get local issuer certificate

– Carlottacarlovingian 13/4, 2022 at 12:15

My guess is corporate Zscaler enforces SSL tunneling over the HTTP protocol, which brings you back to square one. That's a good thing, downloading anything over insecure HTTP could be intercepted and modified on-the-fly by a threat actor (though checksum verification should mitigate that). As for this not being a MacOS issue, it's worth noting the solution might be. That's how I arrived here, I am looking for a MacOS solution to this certificate problem. – Religiose 8/7 at 18:41

I was facing similar issue with alpine and docker builds. Try disconnecting VPN or any internet security software. It will solve the issue. I was having Zscalar security on so facing the same problem, once i turned it off it was working smoothly.

Pownall answered 20/12, 2022 at 6:26 Comment(0)

This may help some out there. Faced similar issue on Docker on my Mac (work so semi locked down). I used alpine version 3.12 FROM alpine:3.12 and the issue went away (could be versions of certs locally we have ,but i needed a quick hack to keep going on a project). So maybe try each progressive earlier version of alpine. Obviously doesn't solve if you needed a later version and may introduce security flaws from earlier builds.

Chroma answered 17/3, 2023 at 0:2 Comment(0)

Recommended topics

Hot tags