I am on the Windows machine, with Docker running. Docker image is FROM php:7.3-apache
.
with
System : Linux b6df004de9df 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16
UTC 2019 x86_64
having Composer installed in this container successfully with Composer version 1.9.0 2019-08-02 20:55:32.
Now, I entered into the bash
of the container and entered a command $ composer init which run successfully and initialized the composer, however, upon $ composer install command, it gives an error
[ComposerDownloaderTransportException] The
“https://repo.packagist.org/packages.json” file could not be
downloaded: SSL operation failed with code 1. Open SSL Error
messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto failed to open stream: operation failed
As I could see its an OpenSSL error for Certificate, I tried to get exact error :
root@b6df004de9df:/var/www/html/my_JSON_proj# openssl s_client
-connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler
Intermediate Root CA (zscalertwo.net) , emailAddress =
[email protected]
verify error:num=20:unable to get local issuer certificate
To re-confirm, I again tried :
root@b6df004de9df:/var/www/html/my_JSON_proj# curl https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
Openssl Version: OpenSSL 1.1.0k 28 May 2019
Output of openssl_get_cert_locations() :
array(8) {
["default_cert_file"]=> "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=> "SSL_CERT_FILE"
["default_cert_dir"]=> "/usr/lib/ssl/certs"
["default_cert_dir_env"]=> "SSL_CERT_DIR"
["default_private_dir"]=> "/usr/lib/ssl/private"
["default_default_cert_area"]=> "/usr/lib/ssl"
["ini_cafile"]=> ""
["ini_capath"]=> ""
}
So to solve this Solutions I tried:
-
I created my localhost certificate Ref: https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how%20to%20use%20them. but not sure when to put that certificate so placed in /usr/local/share/ca-certifcates/ folder and tried
curl https://google.com/ –cacert /usr/local/share/ca-certifcates/localhost.pem – still same error -
Edited my /usr/local/etc/php/php.ini php configuration file to add
curl.cainfo="/usr/local/share/ca-certificates/localhost.pem"
openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem"
just to find the – same error
I have been trying this with no luck. I have literally scanned through almost all of stack overflow posts related to curl, OpenSSL, SSL, Docker, etc and couldn’t find the answer.
- FURTHER UPDATES & FINDINGS
- Surprisingly I wonder, the ‘cacert.pem’ the file provided at https://curl.haxx.se/ca/cacert.pem (note – https) to solve the SSL problem, whereas I am not able to connect to secure links, how can I even get to download pem file from https? kinda deadlock? Anyways, so I tried to download using
wget http://curl.haxx.se/ca/cacert.pem
a non-secure way to get the pem file and I got the output as :
- Surprisingly I wonder, the ‘cacert.pem’ the file provided at https://curl.haxx.se/ca/cacert.pem (note – https) to solve the SSL problem, whereas I am not able to connect to secure links, how can I even get to download pem file from https? kinda deadlock? Anyways, so I tried to download using
root@b6df004de9df:/usr/local/etc/openssl# wget http://curl.haxx.se/ca/cacert.pem
--2019-11-08 10:21:30-- http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se (curl.haxx.se)... 151.101.38.49, 2a04:4e42:9::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://curl.haxx.se/ca/cacert.pem [following]
--2019-11-08 10:21:31-- https://curl.haxx.se/ca/cacert.pem
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:443... connected.
ERROR: The certificate of 'curl.haxx.se' is not trusted.
ERROR: The certificate of 'curl.haxx.se' hasn't got a known issuer.
And since its a Linux server and no GUI available, so seems an only possible way for me to download is via Terminal, not a browser.
That being said, I manually created cacert.pem file and entered content in it from curl.haxx.se. And then updated php.ini with the following changes and restarted the apache server.
curl.cainfo: /usr/local/etc/openssl/cacert.pem
&
openssl.cafile: /usr/local/etc/openssl/cacert.pem
Still – curl: (60) SSL certificate problem: unable to get local issuer certificate
-
Updated php.ini for curl.cainfo and openssl.cafile with “/usr/lib/ssl/cert.pem” as its “default_cert_file” according to ‘openssl_get_cert_locations()’. Restarted apache server. Tried with
curl https://www.google.com
– Still curl: (60) SSL certificate problem: unable to get local issuer certificate -
Created a new directory ‘ssl’ as it was not present already and assuming, By default, the OpenSSL directory is
/usr/local/ssl
. Created cacert.pem file in that folder. Updated curl.cainfo and openssl.cafile entries in php.ini with this new updated path. To be on a safer side, executedupdate-ca-certificates --fresh
just in case. Restarted the apache server. Tried withcurl https://www.google.com
– Still curl: (60) SSL certificate problem: unable to get local issuer certificate
On side note full output of cURL command :
root@b6df004de9df:/usr/lib/ssl/certs# curl https://thawte.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root@b6df004de9df:/usr/lib/ssl/certs# openssl s_client -connect thawte.com:443
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net)
, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Utah/
L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
[email protected]
2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
[email protected]
i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQv2zANBgkqhkiG9w0XcVFbs+k59YwRwR4v+pBAQsFADCB
jTELMAkMxEzARBgNVBAgGA1UEBhMCVVTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpz
... few more lines ...
vxrc40H5bMPW/NgnBjRtUEPnAx9b3ll/sj3KfhbxU0bgnEYNMLb+nwnK6NDZRFpC
5E3fG+TFc9ehaBcF5xWttKz28Wr2nUUhMLhC
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Ut
ah/L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
issuer=/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4270 bytes and written 326 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 06D54188D4F60C7746664262F72361EFE8DC728E9D37FDB25641A28C226DE83C3C574C781A0E4A268A7AEB6187EF54BF
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573209517
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
read:errno=0
Current DockerFile using to build the image :
FROM php:7.3-apache
RUN docker-php-ext-install mysql mysqli
RUN apt-get update -y && apt-get install -y sendmail libpng-dev
RUN apt-get update &&
apt-get install -y
zlib1g-dev
libbz2-dev
libfreetype6-dev
libjpeg62-turbo-dev
libpng12-dev
libxpm-dev
libvpx-dev
libmcrypt-dev
libmemcached-dev
&&
RUN docker-php-ext-install mbstring
RUN docker-php-ext-install zip
RUN docker-php-ext-install gd
RUN docker-php-ext-install opcache
RUN docker-php-ext-install
bcmath
bz2
exif
ftp
gd
gettext
mbstring
mcrypt
mysqli
opcache
pdo_mysql
shmop
sockets
sysvmsg
sysvsem
sysvshm
zip
p7zip-full
&&
3
Answers
Finally, got the issue sorted out. Actually, I never had to set the
curl.cainfo
ORopenssl.cafile
or any other updates for that matter like downloading the certificate to use in container etc. After I create a Self Signed Certificate, I had to Configure Apache to Use SSL and Make those changes related SSL into Apache server and we're all set.You may try:
1.Add this to your Dockerfile and build the image again
2.Download certificate via browser, and copy it to the container
read about Mount volume (-v, –read-only)
3.use wget in insecure mode (not recommended) – use flag
--no-check-certificate
I think you are behind a proxy (Zscaler), try getting the certificates and update them, steps here: https://stackoverflow.com/a/70011298/5078874