skip to Main Content

I am on the Windows machine, with Docker running. Docker image is FROM php:7.3-apache.

with

System : Linux b6df004de9df 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16
UTC 2019 x86_64

having Composer installed in this container successfully with Composer version 1.9.0 2019-08-02 20:55:32.

Now, I entered into the bash of the container and entered a command $ composer init which run successfully and initialized the composer, however, upon $ composer install command, it gives an error

[ComposerDownloaderTransportException] The
https://repo.packagist.org/packages.json” file could not be
downloaded: SSL operation failed with code 1. Open SSL Error
messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto failed to open stream: operation failed

As I could see its an OpenSSL error for Certificate, I tried to get exact error :

root@b6df004de9df:/var/www/html/my_JSON_proj# openssl s_client
-connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler
Intermediate Root CA (zscalertwo.net) , emailAddress =
[email protected]
verify error:num=20:unable to get local issuer certificate

To re-confirm, I again tried :

root@b6df004de9df:/var/www/html/my_JSON_proj# curl https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

Openssl Version: OpenSSL 1.1.0k 28 May 2019

Output of openssl_get_cert_locations() :

array(8) {
["default_cert_file"]=> "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=> "SSL_CERT_FILE"
["default_cert_dir"]=> "/usr/lib/ssl/certs"
["default_cert_dir_env"]=> "SSL_CERT_DIR"
["default_private_dir"]=> "/usr/lib/ssl/private"
["default_default_cert_area"]=> "/usr/lib/ssl"
["ini_cafile"]=> ""
["ini_capath"]=> ""
}

So to solve this Solutions I tried:

  1. I created my localhost certificate Ref: https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how%20to%20use%20them. but not sure when to put that certificate so placed in /usr/local/share/ca-certifcates/ folder and tried
    curl https://google.com/ –cacert /usr/local/share/ca-certifcates/localhost.pem – still same error

  2. Edited my /usr/local/etc/php/php.ini php configuration file to add

curl.cainfo="/usr/local/share/ca-certificates/localhost.pem"

openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem"
just to find the – same error

I have been trying this with no luck. I have literally scanned through almost all of stack overflow posts related to curl, OpenSSL, SSL, Docker, etc and couldn’t find the answer.

  • FURTHER UPDATES & FINDINGS
    1. Surprisingly I wonder, the ‘cacert.pem’ the file provided at https://curl.haxx.se/ca/cacert.pem (note – https) to solve the SSL problem, whereas I am not able to connect to secure links, how can I even get to download pem file from https? kinda deadlock? Anyways, so I tried to download using wget http://curl.haxx.se/ca/cacert.pem a non-secure way to get the pem file and I got the output as :
root@b6df004de9df:/usr/local/etc/openssl# wget http://curl.haxx.se/ca/cacert.pem
--2019-11-08 10:21:30--  http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se (curl.haxx.se)... 151.101.38.49, 2a04:4e42:9::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://curl.haxx.se/ca/cacert.pem [following]
--2019-11-08 10:21:31--  https://curl.haxx.se/ca/cacert.pem
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:443... connected.
ERROR: The certificate of 'curl.haxx.se' is not trusted.
ERROR: The certificate of 'curl.haxx.se' hasn't got a known issuer.

And since its a Linux server and no GUI available, so seems an only possible way for me to download is via Terminal, not a browser.

That being said, I manually created cacert.pem file and entered content in it from curl.haxx.se. And then updated php.ini with the following changes and restarted the apache server.

curl.cainfo: /usr/local/etc/openssl/cacert.pem &
openssl.cafile: /usr/local/etc/openssl/cacert.pem
Still – curl: (60) SSL certificate problem: unable to get local issuer certificate

  1. Updated php.ini for curl.cainfo and openssl.cafile with “/usr/lib/ssl/cert.pem” as its “default_cert_file” according to ‘openssl_get_cert_locations()’. Restarted apache server. Tried with curl https://www.google.com – Still curl: (60) SSL certificate problem: unable to get local issuer certificate

  2. Created a new directory ‘ssl’ as it was not present already and assuming, By default, the OpenSSL directory is /usr/local/ssl. Created cacert.pem file in that folder. Updated curl.cainfo and openssl.cafile entries in php.ini with this new updated path. To be on a safer side, executed update-ca-certificates --fresh just in case. Restarted the apache server. Tried with curl https://www.google.com – Still curl: (60) SSL certificate problem: unable to get local issuer certificate

On side note full output of cURL command :

root@b6df004de9df:/usr/lib/ssl/certs# curl https://thawte.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
root@b6df004de9df:/usr/lib/ssl/certs# openssl s_client -connect thawte.com:443
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net)
, emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Utah/
L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
   i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
 1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
   i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
[email protected]
 2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
[email protected]
   i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQv2zANBgkqhkiG9w0XcVFbs+k59YwRwR4v+pBAQsFADCB
jTELMAkMxEzARBgNVBAgGA1UEBhMCVVTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpz
... few more lines ...
vxrc40H5bMPW/NgnBjRtUEPnAx9b3ll/sj3KfhbxU0bgnEYNMLb+nwnK6NDZRFpC
5E3fG+TFc9ehaBcF5xWttKz28Wr2nUUhMLhC
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Ut
ah/L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
issuer=/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4270 bytes and written 326 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 06D54188D4F60C7746664262F72361EFE8DC728E9D37FDB25641A28C226DE83C3C574C781A0E4A268A7AEB6187EF54BF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1573209517
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
---
read:errno=0

Current DockerFile using to build the image :

FROM php:7.3-apache 

RUN docker-php-ext-install mysql mysqli

RUN apt-get update -y && apt-get install -y sendmail libpng-dev

RUN apt-get update && 
    apt-get install -y 
        zlib1g-dev 
        libbz2-dev 
        libfreetype6-dev 
        libjpeg62-turbo-dev 
        libpng12-dev 
        libxpm-dev 
        libvpx-dev 
        libmcrypt-dev 
        libmemcached-dev 
        && 

RUN docker-php-ext-install mbstring

RUN docker-php-ext-install zip

RUN docker-php-ext-install gd

RUN docker-php-ext-install opcache

RUN docker-php-ext-install 
        bcmath 
        bz2 
        exif 
        ftp 
        gd 
        gettext 
        mbstring 
        mcrypt 
        mysqli 
        opcache 
        pdo_mysql 
        shmop 
        sockets 
        sysvmsg 
        sysvsem 
        sysvshm 
        zip 
        p7zip-full 
    && 

3

Answers


  1. Chosen as BEST ANSWER

    Finally, got the issue sorted out. Actually, I never had to set the curl.cainfo OR openssl.cafile or any other updates for that matter like downloading the certificate to use in container etc. After I create a Self Signed Certificate, I had to Configure Apache to Use SSL and Make those changes related SSL into Apache server and we're all set.


  2. You may try:

    1.Add this to your Dockerfile and build the image again

    RUN apt-get update && apt-get install -y libssl-dev
    RUN apt-get install -y libcurl4-gnutls-dev
    RUN apt-get install -y libcurl4-openssl-dev
    RUN apt-get install -y libcurl4
    

    2.Download certificate via browser, and copy it to the container
    read about Mount volume (-v, –read-only)

    3.use wget in insecure mode (not recommended) – use flag --no-check-certificate

    Login or Signup to reply.
  3. I think you are behind a proxy (Zscaler), try getting the certificates and update them, steps here: https://stackoverflow.com/a/70011298/5078874

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search