curl is working on host machine and alpine container but not in debian based container

Question

I am working behind a corporate http proxy with docker-compose.

The code to reproduce this issue is available on github.

To make outgoing http requests with curl on my host machine, I apply the following procedure:

• set up http_proxy,https_proxy, no_proxy environment variables
• copy corporate CA: CA-ENTERPRISE.crt to /usr/local/share/ca-certificates
• run update-ca-certificates
• test running: curl https://example.com

Now, in docker:

When I run docker-compose build --no-cache using these 2 Dockerfile:

1st debian based container: curl is KO:

FROM debian:stretch
RUN echo "http_proxy: $http_proxy | https_proxy: $https_proxy | no_proxy: $no_proxy"
RUN rm -rf /var/lib/apt/lists/*
RUN apt-get update
RUN apt-get install -y curl
COPY *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
RUN echo "################################testing a curl HTTP request###########################################"
RUN curl -s http://example.com/ > /dev/null
RUN echo "################################testing a curl HTTPS request###########################################"
RUN curl https://example.com/ > /dev/null

2nd alpine based container: curl is OK:

FROM php:7.4-fpm-alpine
RUN echo "http_proxy: $http_proxy | https_proxy: $https_proxy | no_proxy: $no_proxy"

COPY *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

RUN apk update && apk upgrade
RUN apk add bash
RUN apk add wget
RUN wget --version

RUN curl https://example.com
RUN wget https://example.com

my docker-compose.yml:

version: '3'
services:
  php:
    build:
      context: docker/php-fpm-alpine
    environment:
      - TZ=Europe/Paris
      - http_proxy
      - https_proxy
      - no_proxy
  debian:
    build:
      context: docker/debian
      args:
        - http_proxy
        - https_proxy
        - no_proxy
    environment:
      - TZ=Europe/Paris
      - http_proxy
      - https_proxy
      - no_proxy

As I said, with alpine curl requests are OK but with debian based container curl requests are not working because of CA authority issues. Below, the debian based container output:

Step 1/11 : FROM debian:stretch
 ---> de8b49d4b0b3
Step 2/11 : RUN echo "http_proxy: $http_proxy | https_proxy: $https_proxy | no_proxy: $no_proxy"
 ---> Running in 0f399d7de8c5
http_proxy: http://user:pass@proxy-ip:port | https_proxy: http://user:pass@proxy-ip:port | no_proxy: XXX *
    Step 6/11 : COPY *.crt /usr/local/share/ca-certificates/
     ---> 6c031657b758
    Step 7/11 : RUN update-ca-certificates
     ---> Running in 7a692387c343
    Updating certificates in /etc/ssl/certs...
    1 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d...
    done.
    Removing intermediate container 7a692387c343
     ---> b1783ec988cb
    Step 8/11 : RUN echo "################################testing a curl HTTP request###########################################"
     ---> Running in 76602a663e88
    ################################testing a curl HTTP request###########################################
    Removing intermediate container 76602a663e88
     ---> 989b4c0dbdc2
    Step 9/11 : RUN curl -s http://example.com/ > /dev/null
     ---> Running in 8fb7e65eaf8a
    Removing intermediate container 8fb7e65eaf8a
     ---> 7bb285251123
    Step 10/11 : RUN echo "################################testing a curl HTTPS request###########################################"
     ---> Running in fb0a41102cdf
    ################################testing a curl HTTPS request###########################################
    Removing intermediate container fb0a41102cdf
     ---> c2b9d7c869dd
    Step 11/11 : RUN curl https://example.com/ > /dev/null
     ---> Running in 03108bb75359
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    curl: (60) SSL certificate problem: unable to get issuer certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    ERROR: Service 'debian' failed to build: The command '/bin/sh -c curl https://example.com/ > /dev/null' returned a non-zero code: 60



Thus, curls fails because of Certificate Authority, I don't understand why this is working on my host machine but not in docker containers.

NB: 
* `http_proxy`,`https_proxy`, `no_proxy` environment variables are setup in `docker-compose.yml`
* when I rm `CA-CORPORATE.crt` from `/usr/local/share/ca-certificates` on my host machine and `update-ca-certificates` the curl request fails logically.

As can been seen from this output:

• $http_proxy, $https_proxy, $no_proxy are well set up in container.

• Outgoing http requests work.

• Outgoing https encountered CA issues

Why does curl work in alpine container and not in debian container?

How to make curl work in debian based container?