I am trying to follow the instructions on https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-app. My woes start right away with the docker-compose up -d command:
...
Status: Downloaded newer image for tiangolo/uwsgi-nginx-flask:python3.6
---> a16ce562e863
Step 2/3 : RUN pip install redis
---> Running in ffef7d7a575f
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/redis/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/redis/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/redis/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/redis/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/redis/
Could not fetch URL https://pypi.org/simple/redis/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/redis/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) - skipping
ERROR: Could not find a version that satisfies the requirement redis (from versions: none)
ERROR: No matching distribution found for redis
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) - skipping
ERROR: Service 'azure-vote-front' failed to build: The command '/bin/sh -c pip install redis' returned a non-zero code: 1
C:\work\azure-voting-app-redis [master ≡]>
Now I think I know what is the problem - some certificates are missing from the docker trust chain (not sure what is the right terminology here).
I have already faced this problem in the past when I tried to run an Azure DevOps build agent in a docker container. I have identified the two certificates that were missing, saved them and worked around the problem by:
- Copying the certificates into the docker image
- Running the command to import them as the very first thing.
Get-ChildItem /certificates | ForEach-Object {
$null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
}
But that was easy because the base image was mcr.microsoft.com/windows/servercore:ltsc2019
In the tutorial above the Dockerfile is:
FROM tiangolo/uwsgi-nginx-flask:python3.6
RUN pip install redis
ADD /azure-vote /app
And this is a Linux image - no idea how to configure the certificates there.
So, given that I think I know what certificates are missing, how do I configure them in that docker container?
EDIT 1
To figure out the right procedure I have run the docker image interactively:
docker run --mount 'type=bind,source=c:\work\azure-voting-app-redis\azure-vote\ca-certs,target=/ca-certs' -it tiangolo/uwsgi-nginx-flask:python3.6 bash
This opens bash from the docker container with /ca-certs containing the two pem files corresponding to my missing certificates.
Next, I installed the ca-certificates package:
root@8f64c6b3381c:/app# apt-get update -y
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [226 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7906 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8380 kB in 2s (5123 kB/s)
Reading package lists... Done
root@8f64c6b3381c:/app# apt-get install ca-certificates -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
openssl
The following NEW packages will be installed:
ca-certificates openssl
0 upgraded, 2 newly installed, 0 to remove and 48 not upgraded.
Need to get 1002 kB of archives.
After this operation, 1885 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 openssl amd64 1.1.1d-0+deb10u3 [844 kB]
Get:2 http://deb.debian.org/debian buster-updates/main amd64 ca-certificates all 20200601~deb10u1 [158 kB]
Fetched 1002 kB in 0s (3682 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package openssl.
(Reading database ... 24611 files and directories currently installed.)
Preparing to unpack .../openssl_1.1.1d-0+deb10u3_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u3) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../ca-certificates_20200601~deb10u1_all.deb ...
Unpacking ca-certificates (20200601~deb10u1) ...
Setting up openssl (1.1.1d-0+deb10u3) ...
Setting up ca-certificates (20200601~deb10u1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
Updating certificates in /etc/ssl/certs...
126 added, 0 removed; done.
Processing triggers for ca-certificates (20200601~deb10u1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@8f64c6b3381c:/app#
Now I wonder if I can proceed with the pem files? The /etc/ssl/certs directory contains both pem and crt files. How do I add a CA root certificate inside a docker image? suggests I must convert pem to crt. I am going to try it, but I prefer avoid any conversions, if possible.
