7

After a PC reconfiguration I am unable to use Docker properly, since some curl commands are rejected due to SSL/TLS issues.

In just one example curl -vfsSL https://apt.releases.hashicorp.com/gpg returns the following error:

*   Trying 52.222.214.125:443...
* TCP_NODELAY set
* Connected to apt.releases.hashicorp.com (52.222.214.125) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

After some digging, I now now know that this issue also occurs within my WSL image, but not on host Windows OS. Hence, I believe this must be an issue that originates with my WSL setup, and not caused by Docker itself (?).

There are quite a few related questions on StackOverflow, but no solutions I found really apply to this case (and it is not an option to disable verification, which is quite frequently a suggested solution):

FWIW I work at an enterprise, with IT-issued OS. Obviously that could be a source of error, but they are unable to help me debug this issue. One a colleague's PC, however, it works flawlessly.

Any ideas?

PC Setup:

  • Windows 10 Enterprise
    • Version: 21H1
    • OS build: 19043.1645
    • Windows Feature Experience Pack: 120.2212.4170.0
  • WSL 2 with Ubuntu-20.04
  • Docker Desktop 4.7.1 (77678) with WSL 2 based engine
casparjespersen
  • 3,460
  • 5
  • 38
  • 63
  • On host are you using the Windows-supplied curl i.e. \windows\system\curl.exe? Does `curl -V` say `libcurl/{ver} Schannel` (and _not_ openssl or gnutls or nss)? If so maybe you have either AV/ES on your machine or WAF/DLP/etc in the 'enterprise' network intercepting your traffic using a root cert pushed to the WIndows store, but not known by your Ubuntu(s?). In a browser if you go to (dummy) top page `https://apt.releases.hashicorp.com/` and look at the cert chain, is it `Amazon CA 1B` and `Amazon Root CA 1` or something else? – dave_thompson_085 May 09 '22 at 10:00
  • @dave_thompson_085 Correct. My Windows cURL is "curl 7.79.1 (Windows) libcurl/7.79.1 Schannel" whereas Ubuntu is "curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3". In a browser the certificate chain for https://apt.releases.hashicorp.com/ is "Zscaler Root CA". – casparjespersen May 09 '22 at 10:54
  • Zscaler is one of the makers of gear used to intercept HTTPS traffic, so the root (for your environment) needs to be added to the truststore(s) used by your software. Most libraries and programs on Ubuntu, including curl, use its system store; see `man update-ca-certificates` on how to add to that. _Some_ program(s) could be different; if so you'll have to identify it/them. I'm pretty sure DockerDesktop uses the Windows store (which is already set) but can't swear. (I mean for access by docker itself like FROM images, not for things running _in_ containers.) – dave_thompson_085 May 09 '22 at 19:29

1 Answers1

13

I had a similar problem at my company. The problem was that our firewall replaced the certificate. The certificate of the firewall was untrusted/unknown from within my wsl setup.

I solved the problem by exporting the firewall certificate from the windows certmanager (certmgr.msc).

The certificate was located at "Trusted Root Certification Authorities\Certifiactes"

Export the certificate as a DER coded x.509 and save it under e.g. "D:\eset.cer".

enter image description here

From within your WSL you can add the certificate with:

openssl x509 -inform DER -in /mnt/d/eset.cer -out ./eset.crt
sudo cp eset.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Lukas Benner
  • 141
  • 1
  • 8
  • This saved my day. Initially, I thought that the issue was from Windows, but when I came across this post https://serverfault.com/a/1100505/989358, I was a bit confident that the problem was from WSL2. But the comment & answer lacked so much clarity that I was still struggling to resolve the issue until I found this answer & the listed steps to resolve the issue. – Hemangi Gokhale Oct 20 '22 at 13:51
  • Thank you! In my case, we use Zscaller (firewall) so I needed to copy the `Zscaler Root CA` certificate – Georgi Koemdzhiev Jun 02 '23 at 10:27