curl suddenly unable to get local issuer certificate

3

I've been using Docker 1.7.1 with base Ubuntu 14.04 image and all of a sudden this curl:

curl -L -o sbt.tgz https://dl.bintray.com/sbt/native-packages/sbt/0.13.9/sbt-0.13.9.tgz

is failing me with the following error:

curl: (60) SSL certificate p[0m[91mroblem: unable to get local issuer certificate
  [0m[91mMore details here: http://curl.haxx.se/docs/sslcerts.html

  curl performs SSL certificate verification by default, using a "bundle"
   of Certificate Authority (CA) pub[0m[91mlic keys (CA certs). If the default
   bundle file isn't adequate, you can specify an alternate file
   us[0m[91ming the --cacert option.
  If this HTTPS server uses a certificate signed by a CA represented in
   the bund[0m[91mle, the certificate verification probably failed due to a
   problem with the certific[0m[91mate (it might be expired, or the name might
   not match the domain name in the URL).[0m[91m
  If you'd like to turn off curl's verification of the certificate[0m[91m, use
   the -k (or --insecure) option.

The CA in question (for dl.bintray.com) is GeoTrust CA G3, which I checked is being installed from the docker build log:

  Processing triggers for ca-certificates (20160104ubuntu0.14.04.1) ...
  Updating certificates in /etc/ssl/certs... 173 added, 0 removed; done.
  Running hooks in /etc/ca-certificates/update.d....
  ...
  Adding debian:GeoTrust_Global_CA.pem
  Adding debian:GeoTrust_Global_CA_2.pem
  Adding debian:GeoTrust_Primary_Certification_Authority.pem
  Adding debian:GeoTrust_Primary_Certification_Authority_-_G2.pem
  Adding debian:GeoTrust_Primary_Certification_Authority_-_G3.pem
  Adding debian:GeoTrust_Universal_CA.pem
  Adding debian:GeoTrust_Universal_CA_2.pem
  ...

I have no explanation as to how this stopped working. I tried manually from the container and the --insecure version works, though I don't want to use it.

Any thoughts on how to fix this, or get a reliable update CA authority to pass to the curl command, i.e. curl -c my_most_trusted_and_up_to_date_ca.pem ?

joao figueiredo

Posted 2016-02-26T12:01:46.927

Reputation: 31

have you tried docker-machine regenerate-certs? – Purefan – 2016-02-26T12:07:02.513

@Purefan: unfortunately, this infrastructure is in AWS infrastructure, with their Amazon flavoured Linux, which comes without docker-machine. – joao figueiredo – 2016-02-26T12:27:30.863

very odd one! it's consistent on my host/guest, host Docker 14.04 host works ok , container does not. What's interesting is that it's not dl.bintray.com that it has the problem with if you add '-v' to the curl command you can see that it's when it redirects to akamai.bintray.com that the problem occurs – Rory McCune – 2016-02-26T20:56:43.493

the closest I could find on the docker issue list is this https://github.com/docker/docker/issues/2011

– Rory McCune – 2016-02-26T20:57:17.150

Some more info. from my testing it's definitely a docker issue, if you try to connect to the host akamai.bintray.com outside the container using the ca certs from inside the container, it works ok (same version of curl inside and out) – Rory McCune – 2016-02-26T21:42:02.227

No answers

Asked: 2016-02-26T12:01:46.927

Viewed: 2 310 times

Active: 2016-03-23T14:58:53.533