docker
Clone step fails due to missing local corporate CA
While running the first step of the tutorial after a fresh install of Docker Desktop, I ran into the following error:
docker run --name repo alpine/git clone https://github.com/docker/getting-started.git Cloning into 'getting-started'... fatal: unable to access 'https://github.com/docker/getting-started.git/': SSL certificate problem: unable to get local issuer certificate
It looks like this happens because our corporate CA cert is not being copied into the alpine/git container.
As a workaround, using the command below worked for me.
docker run --name repo alpine/git -c http.sslVerify=false clone https://github.com/docker/getting-started.git
In Step 2 (Build), there were more certificate errors from pip.
[base 4/4] RUN pip install -r requirements.txt: #24 8.680 WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/ #24 9.349 WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/ #24 10.53 WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/ #24 12.85 WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/ #24 17.05 WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationE rror(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /simple/mkdocs/ #24 17.26 Could not fetch URL https://pypi.org/simple/mkdocs/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', por t=443): Max retries exceeded with url: /simple/mkdocs/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))) - skipping
As a workaround, using the command below worked for me.
docker run --name repo alpine/git -c http.sslVerify=false clone https://github.com/docker/getting-started.git
@brbecker Particularly on a corporate network, it's not a good idea to disable SSL verification like that. It seems like, from reading other issues on the Yarn repo, the better way is to add your corporate certificate chain to actually verify. I've done this for GitHub already on Windows 10, so I wasn't seeing a similar issue to yours.
However, I'm also having this issue later on in the tutorial due to yarn:
=> ERROR [test 2/3] RUN yarn install 1.2s
------
> [test 2/3] RUN yarn install:
#14 0.419 yarn install v1.22.19
#14 0.486 [1/4] Resolving packages...
#14 0.700 [2/4] Fetching packages...
#14 1.104 error An unexpected error occurred: "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz: unable to get local issuer certificate".
#14 1.104 info If you think this is a bug, please open a bug report with the information provided in "/app/yarn-error.log".
#14 1.104 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
executor failed running [/bin/sh -c yarn install]: exit code: 1
My configuration: Docker Desktop Version: v4.18.0 Docker Engine: Hyper-V OS: Windows 10 Enterprise 10.0.19
I don't have administrator privileges on the Windows 10 machine issued by my workplace, thus can't install WSL here, so I'm using the Hyper-V version of Docker Desktop, v.
After some digging into an issue posted on the Yarn repo, I found some solutions, but none seemed to work. I tried:
- Exporting the root certificate from firefox as a .pem file named
my-cert.pem. - Adding that file to
/app - Adding
RUN yarn config set cafile my-cert.pemto the Dockerfile.
Even after that, I still see the following:
=> ERROR [test 2/3] RUN yarn install 1.2s
------
> [test 2/3] RUN yarn install:
#14 0.440 yarn install v1.22.19
#14 0.469 error Could not open cafile: ENOENT: no such file or directory, open '/app/my-cert.pem'
#14 0.509 [1/4] Resolving packages...
#14 0.721 [2/4] Fetching packages...
#14 1.196 error An unexpected error occurred: "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.1.tgz: unable to get local issuer certificate".
#14 1.196 info If you think this is a bug, please open a bug report with the information provided in "/app/yarn-error.log".
#14 1.196 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
executor failed running [/bin/sh -c yarn install]: exit code: 1
I've moved around the certificate to confirm it wasn't some issue with the path it was in, but it appears Yarn can't even find the file, let alone determine if I've actually gotten the right certificate in order to verify.
This isn't necessarily a Docker issue, but certainly there should be something that indicates to a user what the solution is in the even of one of these inabilities to find the certificate, and warn them (in the tutorial?) that what is going on is not an issue with Docker, and instead with their corporate network and point them to a solution.
If someone could point me to that solution also, that'd be great, because I'm quite stuck.
Also, apologies if I've missed anything here. I'm pretty certain this is the first time I've ever actually commented on a GitHub issue.
