为什么我在 Docker(mac)上安装软件包时出现 SSL 错误?
Why I get SSL errors while installing packages on Docker(on mac)?
我在 MacOS 上 运行ning Docker 通过 Docker 桌面,我在我的容器中安装包时遇到了很多麻烦,因为它无法验证任何SSL 证书。
例如,当我 运行 apk update 时,我得到这个错误:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
139797308250952:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.14/main: Permission denied
当我尝试 bundle install:
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification.
甚至是简单的卷曲 curl https://google.com.br:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
更新
即使我在容器内安装了 ca-certificates(如@β.εηοιτ.βε 所说),我仍然遇到相同的错误 SSL certificate problem: unable to get local issuer certificate。
将此行添加到 Docker 文件中,如 @β.εηοιτ.βε 所述:
RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl
这不是 Mac 相关的问题,您只是缺少容器中的根证书。
为了安装它们,您需要访问 Alpine 包存储库的 http 版本,否则您还会遇到获取此包的 SSL 问题:
RUN apk add \
--no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
ca-certificates
之后,您应该可以再次正常安装软件包了。
事实证明 β.εηοιτ.βε 的答案很好,但毕竟我并没有真正拥有解决问题所需的所有信息..
我必须使用 openssl 调用来跟踪 ca 证书链,使用以下命令:
openssl s_client -connect google.com:443
返回给我的是这个:
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
verify return:1
depth=0 CN = *.google.com
verify return:1
---
由此可以看出它正在尝试查找此 Zscaler 证书而不是 google 证书。我发现这是我们公司用来监视流量的拦截器。
有了这个,我能够找到这个 post which leads to this doc,它解释了如何在 mac 环境中将证书添加到 docker。
所以解决方案是将证书添加到系统中:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE>
并将证书添加到 docker 并安装 ca-certificate,如 β.εηοιτ.βε 所述:
ADD ./ZscalerRootCertificate.crt /usr/local/share/ca-certificates/
RUN apk add --no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main \
ca-certificates
RUN update-ca-certificates
我在 MacOS 上 运行ning Docker 通过 Docker 桌面,我在我的容器中安装包时遇到了很多麻烦,因为它无法验证任何SSL 证书。
例如,当我 运行 apk update 时,我得到这个错误:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
139797308250952:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.14/main: Permission denied
当我尝试 bundle install:
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification.
甚至是简单的卷曲 curl https://google.com.br:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
更新
即使我在容器内安装了 ca-certificates(如@β.εηοιτ.βε 所说),我仍然遇到相同的错误 SSL certificate problem: unable to get local issuer certificate。
将此行添加到 Docker 文件中,如 @β.εηοιτ.βε 所述:
RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl
这不是 Mac 相关的问题,您只是缺少容器中的根证书。
为了安装它们,您需要访问 Alpine 包存储库的 http 版本,否则您还会遇到获取此包的 SSL 问题:
RUN apk add \
--no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
ca-certificates
之后,您应该可以再次正常安装软件包了。
事实证明 β.εηοιτ.βε 的答案很好,但毕竟我并没有真正拥有解决问题所需的所有信息..
我必须使用 openssl 调用来跟踪 ca 证书链,使用以下命令:
openssl s_client -connect google.com:443
返回给我的是这个:
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
verify return:1
depth=0 CN = *.google.com
verify return:1
---
由此可以看出它正在尝试查找此 Zscaler 证书而不是 google 证书。我发现这是我们公司用来监视流量的拦截器。 有了这个,我能够找到这个 post which leads to this doc,它解释了如何在 mac 环境中将证书添加到 docker。
所以解决方案是将证书添加到系统中:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE>
并将证书添加到 docker 并安装 ca-certificate,如 β.εηοιτ.βε 所述:
ADD ./ZscalerRootCertificate.crt /usr/local/share/ca-certificates/
RUN apk add --no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main \
ca-certificates
RUN update-ca-certificates