I am running Docker through Docker Desktop on a MacOS, and I am having a lot of trouble installing packages in my container because it is being unable to verify any ssl certificates.
When I run apk update for example, I get this error:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
139797308250952:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.14/main: Permission denied
When I try a bundle install:
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification.
And even a simple curl curl https://google.com.br:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Update
Even though I installed ca-certificates(as @β.εηοιτ.βε said) inside the container I still get the same error SSL certificate problem: unable to get local issuer certificate.
Added to the Dockerfile this line, as mentioned by @β.εηοιτ.βε:
RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl
4
Answers
It turns out β.εηοιτ.βε answer was fine, but I didnt really have all the information I needed to solve my problem after all..
I had to use a openssl call to track the ca certificates chain, with this command:
which returned me this:
With this it was possible to see it was trying to find this Zscaler certificate and not the google certificate. Which I discovered is an interceptor we use at our company to watch the traffic. With this I was able to find this post which leads to this doc, where it explains how to add the certificate to docker in a mac environment.
So the solution was adding the certificate to the system:
And adding the certificate to docker and installing ca-certificate as said by β.εηοιτ.βε:
It is not a Mac related issue, you are just missing the root certificates in your container.
In order to have them installed, you need to get to an http version of the Alpine package repository, otherwise you will also get the SSL issue fetching this package:
From there on, you should be able to install package normally again.
I was facing similar issue with alpine and docker builds. Try disconnecting VPN or any internet security software. It will solve the issue. I was having Zscalar security on so facing the same problem, once i turned it off it was working smoothly.
This may help some out there. Faced similar issue on Docker on my Mac (work so semi locked down). I used alpine version 3.12
FROM alpine:3.12and the issue went away (could be versions of certs locally we have ,but i needed a quick hack to keep going on a project). So maybe try each progressive earlier version of alpine. Obviously doesn’t solve if you needed a later version and may introduce security flaws from earlier builds.