Docker Windows Composer ZScaler SSL Certificate Verify Failed

Asked 29/4, 2020 at 0:0 Answered 17/4 at 15:15

docker openssl composer-php debian zscaler

I'm running Docker Windows (linux containers) on a windows 10 enterprise box. I'm working with a Docker image based on Debian and my windows desktop is running ZScaler.

I was provided two certificate files (a root cert and an intermediate cert), which I installed by putting them into the /usr/local/share/ca-certificates directory, and running 'update-ca-certificates' which appears to install the certs.

When I attempt to run composer diag, I get the following output:

composer diag
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: [Composer\Downloader\TransportException] The "https://repo.packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking github.com rate limit: FAIL
[Composer\Downloader\TransportException] The "https://api.github.com/rate_limit" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: <Omitted
Dev Public Key Fingerprint: <Omitted
OK
Checking composer version:

  [Composer\Downloader\TransportException]
  The "https://getcomposer.org/versions" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
  error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
  Failed to enable crypto
  failed to open stream: operation failed


diagnose

Can someone help me figure out how to get this working?

Lupien answered 29/4, 2020 at 0:0 Comment(2)

Why do you use your own certificates? getcomposer.org will never use any of your personal certificates – Mathi 29/4, 2020 at 7:26

zscaler acts as an SSL proxy, enterprise requirement... it puts itself squarely between you and the outside world -- decrypts any outbound SSL traffic and re-encrypts it using a self-signed certificate -- or at least one signed by a non-trusted CA. So the inbound return SSL connection appears to be using a cert from an invalid CA and thus the error (that's my understanding)... getcomposer docs says it uses PHP settings... PHP says it uses the OS settings, also saying you shouldn't have to set this... see relevant link here: getcomposer.org/doc/06-config.md#cafile – Lupien 29/4, 2020 at 13:36

In my case, the root certificate had not been installed properly... the certs provided by the enterprise had the name .crt for the intermediate and .cer for the root cert. update-ca-certificates wasn't picking up the cert named .cer. Renaming the root cert and re-running update-ca-certificates installed the root cert and fixed the issue.

Running the following command helped figure out the issue:

CONNECTED(00000003)
depth=2 DC = com, DC = my-enterprise, DC = ent, CN = ca-intermediate
verify error:num=2:unable to get issuer certificate
issuer= DC = pvt, DC = my-enterprise, CN = ca-rootauth
verify return:1
depth=1 C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com
issuer= DC = com, DC = my-enterprise, DC = ent, CN = ca-intermediate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
issuer= C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
   i:C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com

This revealed the root cert was not recognized as a valid CA and led me to list the certs recognized by openssl.. I found the answer for that here: https://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates

once I listed and verified that the ca-rootauth didn't exist in the CA trusted list, then it was just a matter of figuring out why the two (root and intermediate) worked differently...

Lupien answered 29/4, 2020 at 18:6 Comment(1)

This answer saved me. I was trying to install the Docker engine in my Ubuntu distribution running on WSL. The certificates are inspected by Zscaler. I installed the Zscaler root certificate using the *.cer extension. Each time I tried the installation, I'd receive the "unable to get local issuer certificate" error. When I renamed the certificate using the *.crt extension and updated ca-certificates, the installation worked flawlessly. Thanks! – Ken 16/12, 2022 at 15:52

-1

In my case in ZScaler I disable "Internet Security", that solved it for me.

Unveil answered 17/4 at 15:15 Comment(2)

Disabling Internet Security isn't an option for most corporate users, as it is imposed by Desktop / Network Security... – Lupien 8/5 at 21:43

@Lupien just because it is not an option for you, does not mean it is not an option for others, just like it is a valid option for me. – Unveil 14/5 at 9:42

Recommended topics

Hot tags