Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clone step fails due to missing local corporate CA #158

Open
brbecker opened this issue May 24, 2021 · 2 comments
Open

Clone step fails due to missing local corporate CA #158

brbecker opened this issue May 24, 2021 · 2 comments

Comments

@brbecker
Copy link

While running the first step of the tutorial after a fresh install of Docker Desktop, I ran into the following error:

docker run --name repo alpine/git clone https://github.com/docker/getting-started.git
Cloning into 'getting-started'...
fatal: unable to access 'https://github.com/docker/getting-started.git/': SSL certificate problem: unable to get local issuer certificate

It looks like this happens because our corporate CA cert is not being copied into the alpine/git container.

As a workaround, using the command below worked for me.

docker run --name repo alpine/git -c http.sslVerify=false clone https://github.com/docker/getting-started.git
@brbecker
Copy link
Author

In Step 2 (Build), there were more certificate errors from pip.

[base 4/4] RUN pip install -r requirements.txt:
#24 8.680 WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE
rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/
#24 9.349 WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE
rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/
#24 10.53 WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE
rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/
#24 12.85 WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE
rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/
#24 17.05 WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE
rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/
#24 17.26 Could not fetch URL https://pypi.org/simple/mkdocs/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', por
t=443): Max retries exceeded with url: /simple/mkdocs/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
failed: unable to get local issuer certificate (_ssl.c:1129)'))) - skipping

@andrewrhunt
Copy link

andrewrhunt commented Apr 14, 2023
edited
Loading

As a workaround, using the command below worked for me.

docker run --name repo alpine/git -c http.sslVerify=false clone https://github.com/docker/getting-started.git

@brbecker Particularly on a corporate network, it's not a good idea to disable SSL verification like that. It seems like, from reading other issues on the Yarn repo, the better way is to add your corporate certificate chain to actually verify. I've done this for GitHub already on Windows 10, so I wasn't seeing a similar issue to yours.

However, I'm also having this issue later on in the tutorial due to yarn:

 => ERROR [test 2/3] RUN yarn install                                                                                                                                               1.2s 
------
 > [test 2/3] RUN yarn install:
#14 0.419 yarn install v1.22.19
#14 0.486 [1/4] Resolving packages...
#14 0.700 [2/4] Fetching packages...
#14 1.104 error An unexpected error occurred: "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz: unable to get local issuer certificate".
#14 1.104 info If you think this is a bug, please open a bug report with the information provided in "/app/yarn-error.log".
#14 1.104 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
executor failed running [/bin/sh -c yarn install]: exit code: 1

My configuration:
Docker Desktop Version: v4.18.0
Docker Engine: Hyper-V
OS: Windows 10 Enterprise 10.0.19

I don't have administrator privileges on the Windows 10 machine issued by my workplace, thus can't install WSL here, so I'm using the Hyper-V version of Docker Desktop, v.

After some digging into an issue posted on the Yarn repo, I found some solutions, but none seemed to work. I tried:

  1. Exporting the root certificate from firefox as a .pem file named my-cert.pem.
  2. Adding that file to /app
  3. Adding RUN yarn config set cafile my-cert.pem to the Dockerfile.

Even after that, I still see the following:

 => ERROR [test 2/3] RUN yarn install                                                                                                                                               1.2s 
------
 > [test 2/3] RUN yarn install:
#14 0.440 yarn install v1.22.19
#14 0.469 error Could not open cafile: ENOENT: no such file or directory, open '/app/my-cert.pem'
#14 0.509 [1/4] Resolving packages...
#14 0.721 [2/4] Fetching packages...
#14 1.196 error An unexpected error occurred: "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.1.tgz: unable to get local issuer certificate".
#14 1.196 info If you think this is a bug, please open a bug report with the information provided in "/app/yarn-error.log".
#14 1.196 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
executor failed running [/bin/sh -c yarn install]: exit code: 1

I've moved around the certificate to confirm it wasn't some issue with the path it was in, but it appears Yarn can't even find the file, let alone determine if I've actually gotten the right certificate in order to verify.

This isn't necessarily a Docker issue, but certainly there should be something that indicates to a user what the solution is in the even of one of these inabilities to find the certificate, and warn them (in the tutorial?) that what is going on is not an issue with Docker, and instead with their corporate network and point them to a solution.

If someone could point me to that solution also, that'd be great, because I'm quite stuck.

Also, apologies if I've missed anything here. I'm pretty certain this is the first time I've ever actually commented on a GitHub issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brbecker @andrewrhunt