Join Log in
Score:0
mark avatar Ubuntu

Why curl running from a container complains about local issuer certificate when all the certificates are supposedly present?

so flag
mark

Here is my docker command line:

mark@L-R910LPKW:~$ docker run -v /etc/ssl:/etc/ssl -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates -v /usr/share/ca-certificates:/usr/share/ca-certificates curlimages/curl -ksvo /dev/null https://registry.yarnpkg.com/csstype/-/csstype-3.0.8.tgz
*   Trying 104.16.19.35:443...
* Connected to registry.yarnpkg.com (104.16.19.35) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3297 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=registry.yarnpkg.com
*  start date: Apr 29 02:29:46 2023 GMT
*  expire date: May 13 02:29:46 2023 GMT
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
} [5 bytes data]
> GET /csstype/-/csstype-3.0.8.tgz HTTP/1.1
> Host: registry.yarnpkg.com
> User-Agent: curl/8.0.1-DEV
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Fri, 05 May 2023 02:17:14 GMT
< Content-Type: application/octet-stream
< Content-Length: 175305
< Connection: keep-alive
< CF-Ray: 7c257c694f4253f5-YYZ
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: *
< Age: 1689328
< Cache-Control: public, immutable, max-age=31557600
< ETag: "a06dac7944c631c06fa7509c9095ca08"
< Last-Modified: Mon, 19 Apr 2021 07:35:13 GMT
< Vary: Accept-Encoding
< CF-Cache-Status: HIT
< Server: cloudflare
<
{ [14612 bytes data]
* Connection #0 to host registry.yarnpkg.com left intact
mark@L-R910LPKW:~$

This is a corporate network and so we have Zscaler acting as the MITM.

I do not understand why curl is "unable to get local issuer certificate". I can run the same command line on the host machine just fine:

mark@L-R910LPKW:~$ curl -svo /dev/null https://registry.yarnpkg.com/csstype/-/csstype-3.0.8.tgz
*   Trying 104.16.19.35:443...
* Connected to registry.yarnpkg.com (104.16.19.35) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3297 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=registry.yarnpkg.com
*  start date: Apr 29 02:29:46 2023 GMT
*  expire date: May 13 02:29:46 2023 GMT
*  subjectAltName: host "registry.yarnpkg.com" matched cert's "registry.yarnpkg.com"
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET /csstype/-/csstype-3.0.8.tgz HTTP/1.1
> Host: registry.yarnpkg.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 05 May 2023 02:25:46 GMT
< Content-Type: application/octet-stream
< Content-Length: 175305
< Connection: keep-alive
< CF-Ray: 7c2588e75bada216-YYZ
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: *
< Age: 1689840
< Cache-Control: public, immutable, max-age=31557600
< ETag: "a06dac7944c631c06fa7509c9095ca08"
< Last-Modified: Mon, 19 Apr 2021 07:35:13 GMT
< Vary: Accept-Encoding
< CF-Cache-Status: HIT
< Server: cloudflare
<
{ [14612 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Connection #0 to host registry.yarnpkg.com left intact
mark@L-R910LPKW:~$

Why do I think curl in the container should work fine? Because I mount all the same certificate directories from the host into the container:

  1. /etc/ssl
  2. /usr/local/share/ca-certificates
  3. /usr/share/ca-certificates

So presumably the container "sees" the same certificates as the host. So why it does not work?

266
0 + 0
ssl
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.