4

I have created a fresh Docker image:

FROM ubuntu:18.04

# Install dependencies
RUN apt-get update
RUN apt-get install -y build-essential g++ curl openssl libssl-dev apache2-utils git libxml2-dev sshfs libbz2-dev libsqlite3-dev tk-dev libffi-dev libreadline-dev libfreetype6-dev libpng-dev

# Install Python
RUN curl -L https://github.com/pyenv/pyenv-installer/raw/master/bin/pyenv-installer | bash
RUN echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bash_profile && \
    echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bash_profile && \
    echo 'eval "$(pyenv init -)"' >> ~/.bash_profile && \
    echo 'eval "$(pyenv virtualenv-init -)"' >> ~/.bash_profile
RUN source ~/.bash_profile && \
    pyenv install 3.7-dev && \
    pyenv virtualenv 3.7-dev venv && \
    pyenv global venv && \
    pip install -U pip

However, after running this in a container, I am unable to access any websites due to a certificate issue. This is happening both in Python (3.6 & 3.7) and openssl:

openssl s_client -connect discordapp.com:443
openssl s_client -connect python.org:443
openssl s_client -connect google.com:443

All return the same error: Verify return code: 20 (unable to get local issuer certificate)

In Python, it gives me (when discord.py tries to connect to discordapp.com:

SSL handshake failed on verifying the certificate
protocol: <asyncio.sslproto.SSLProtocol object at 0x7fd78479c6d8>
transport: <_SelectorSocketTransport fd=6 read=polling write=<idle, bufsize=0>>
Traceback (most recent call last):
  File "/root/.pyenv/versions/3.7-dev/lib/python3.7/asyncio/sslproto.py", line 625, in _on_handshake_complete
    raise handshake_exc
  File "/root/.pyenv/versions/3.7-dev/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "/root/.pyenv/versions/3.7-dev/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1048)
SSL error in data received

I attempted to update my certificates with apt-get install ca-certificates, but the command states that this package is already up to date.

How can I fix this?

  • What's the full error you're seeing when running the Python code? – Patrick Haugh Sep 20 '18 at 00:58
  • Updated to include the python error. –  Sep 20 '18 at 01:13
  • Have you tried the solutions [here](https://stackoverflow.com/questions/41691327/ssl-sslerror-ssl-certificate-verify-failed-certificate-verify-failed-ssl-c/41692664)? – Patrick Haugh Sep 20 '18 at 01:26
  • Those solutions seemed to be aimed at Mac OS X. I am not finding an equivalent solution that works in Ubuntu 18.04. –  Sep 20 '18 at 01:34

1 Answers1

0

Try it, please.

openssl s_client -connect python.org:443 -verify false -debug

If you want to disable the verification, use the command I write above.

-debug is optional.

I think this is a duplicated topic because the problem is not in docker, but in OpenSSL console syntax.

Check this: OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified.

Actually, you have to find your -CApath directory. Your certificates are there.

You will need a generic CAcert too, so visit this site: https://curl.haxx.se/docs/caextract.html.

Hope it will be helpful. Good luck.

Marlon Ferreira
  • 187
  • 3