3
I've been using Docker 1.7.1 with base Ubuntu 14.04 image and all of a sudden this curl
:
curl -L -o sbt.tgz https://dl.bintray.com/sbt/native-packages/sbt/0.13.9/sbt-0.13.9.tgz
is failing me with the following error:
curl: (60) SSL certificate p[0m[91mroblem: unable to get local issuer certificate
[0m[91mMore details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) pub[0m[91mlic keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
us[0m[91ming the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bund[0m[91mle, the certificate verification probably failed due to a
problem with the certific[0m[91mate (it might be expired, or the name might
not match the domain name in the URL).[0m[91m
If you'd like to turn off curl's verification of the certificate[0m[91m, use
the -k (or --insecure) option.
The CA in question (for dl.bintray.com) is GeoTrust CA G3, which I checked is being installed from the docker build log:
Processing triggers for ca-certificates (20160104ubuntu0.14.04.1) ...
Updating certificates in /etc/ssl/certs... 173 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
...
Adding debian:GeoTrust_Global_CA.pem
Adding debian:GeoTrust_Global_CA_2.pem
Adding debian:GeoTrust_Primary_Certification_Authority.pem
Adding debian:GeoTrust_Primary_Certification_Authority_-_G2.pem
Adding debian:GeoTrust_Primary_Certification_Authority_-_G3.pem
Adding debian:GeoTrust_Universal_CA.pem
Adding debian:GeoTrust_Universal_CA_2.pem
...
I have no explanation as to how this stopped working.
I tried manually from the container and the --insecure
version works, though I don't want to use it.
Any thoughts on how to fix this, or get a reliable update CA authority to pass to the curl command, i.e. curl -c my_most_trusted_and_up_to_date_ca.pem
?
have you tried
docker-machine regenerate-certs
? – Purefan – 2016-02-26T12:07:02.513@Purefan: unfortunately, this infrastructure is in AWS infrastructure, with their Amazon flavoured Linux, which comes without
docker-machine
. – joao figueiredo – 2016-02-26T12:27:30.863very odd one! it's consistent on my host/guest, host Docker 14.04 host works ok , container does not. What's interesting is that it's not dl.bintray.com that it has the problem with if you add '-v' to the curl command you can see that it's when it redirects to akamai.bintray.com that the problem occurs – Rory McCune – 2016-02-26T20:56:43.493
the closest I could find on the docker issue list is this https://github.com/docker/docker/issues/2011
– Rory McCune – 2016-02-26T20:57:17.150Some more info. from my testing it's definitely a docker issue, if you try to connect to the host akamai.bintray.com outside the container using the ca certs from inside the container, it works ok (same version of curl inside and out) – Rory McCune – 2016-02-26T21:42:02.227