有一个shell脚本用来构建Docker镜像(调用Dockerfile)。在Dockerfile中有几个这样的CURL命令:Docker容器正在使用基本操作系统:Debian GNU/Linux 10
RUN curl -s -L
https://repo1.maven.org/ ...
RUN curl -s -L
https://github.com/CodeNarc/ ...
-o codenarc.jar
RUN curl -s -L
https://repo1.maven.org/ ...
RUN curl -s -L
https://repo1.maven.org/ ...
以上Dockerfilerunning fine当主机为Mac或Linux时基础。
但是当我们试图在Windows主机上运行这个第二个curl命令,即"github.com"是失败的SSL证书问题(退出代码60)。
我们不做任何与PHP有关的事情,所以任何这样的解决方案(与PHP .ini文件有关)对我来说都是无关的。
现在我已经尝试了几乎所有可用的解决这个问题,但似乎没有工作:
- 从指定位置下载
cacert.pem文件并放入"/etc/ssl/certs",但不工作 - 我尝试使用
update-ca-certificate,但它没有工作 - 使用
--cacert <cacert.pem file location on docker container>,但这也不起作用
唯一有效的解决方案是在curl命令中使用-k标志,但这是不安全的,我们不想使用它。我找不到其他的解决办法,如果有人能帮忙,我将不胜感激。
添加我尝试在Windows主机上运行openssl s_client -showcerts -connect github.com:443:
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3851 bytes and written 438 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 441C92CFBEA27773315E4A9476C3A5173F0A2AB0AADDE708568DD8752EAA8A5A
Session-ID-ctx:
Master-Key: DF6DB0BC64F84ADD5974694845136249AEBEFB2559009AAD2A5C27A6FC981915AB50A765914CAA8AFCAC904B9998FF54
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1614064531
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
depth=2 C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GINCH7
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
然后我在Docker内部运行相同的命令:
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3851 bytes and written 438 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 441C92CFBEA27773315E4A9476C3A5173F0A2AB0AADDE708568DD8752EAA8A5A
Session-ID-ctx:
Master-Key: DF6DB0BC64F84ADD5974694845136249AEBEFB2559009AAD2A5C27A6FC981915AB50A765914CAA8AFCAC904B9998FF54
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1614064531
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
depth=2 C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GINCH7
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
无论问题是什么,它都与容器本身无关,否则它将无法在Linux和macOS上工作(提供测试是在同一网络中完成的)。问题可能出在Windows主机或主机所在的网络中。
检查以下内容:
- windows机器上运行的防病毒或代理 企业防火墙
- 内容/包检查器(DPI)
- 从两个主机跟踪与tpcpdump/wireshark的连接并比较流量
另外,查看openssl s_client -showcerts -connect github.com:443的哪个证书有问题,以找到哪个证书有问题