I am running Docker through Docker Desktop on a MacOS, and I am having a lot of trouble installing packages in my container because it is being unable to verify any ssl certificates.
When I run apk update for example, I get this error:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
139797308250952:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.14/main: Permission denied
When I try a bundle install:
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification.
And even a simple curl curl https://google.com.br:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Update
Even though I installed ca-certificates(as @β.εηοιτ.βε said) inside the container I still get the same error SSL certificate problem: unable to get local issuer certificate.
Added to the Dockerfile this line, as mentioned by @β.εηοιτ.βε:
RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl
It turns out β.εηοιτ.βε answer was fine, but I didnt really have all the information I needed to solve my problem after all..
I had to use a openssl call to track the ca certificates chain, with this command:
openssl s_client -connect google.com:443
which returned me this:
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
verify return:1
depth=0 CN = *.google.com
verify return:1
---
With this it was possible to see it was trying to find this Zscaler certificate and not the google certificate. Which I discovered is an interceptor we use at our company to watch the traffic. With this I was able to find this post which leads to this doc, where it explains how to add the certificate to docker in a mac environment.
So the solution was adding the certificate to the system:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE>
And adding the certificate to docker and installing ca-certificate as said by β.εηοιτ.βε:
ADD ./ZscalerRootCertificate.crt /usr/local/share/ca-certificates/
RUN apk add --no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main \
ca-certificates
RUN update-ca-certificates