(Migrated) docker image build - server certificate verification failed

(This message has been automatically imported from the retired mailing list)

Hello,

I have problems building the docker image,
the command

curl https://zato.io/repo/zato-0CBD7F72.pgp.asc

fails with the message:

curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

I can work around it with the --insecure option

But then there’s the same problem with apt

W: Failed to fetch
https://zato.io/repo/stable/2.0/ubuntu/dists/trusty/main/binary-amd64/Packages
server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old
ones used instead.
The command '/bin/sh -c apt-get update && apt-get install -y zato’
returned a non-zero code: 100

I have no idea how to address this issue.

The curl command fails in the same way if I execute it on my ‘real’ machine

On 16/03/2016 07:17, Andrea Peter wrote:

curlhttps://zato.io/repo/zato-0CBD7F72.pgp.asc

fails with the message:

For me (OSX 10.9.5), that curl command works fine. curl -v says:

  • Connected to zato.io (37.58.75.237) port 443 (#0)
  • TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • Server certificate: zato.io
  • Server certificate: Gandi Standard SSL CA 2
  • Server certificate: USERTrust RSA Certification Authority
  • Server certificate: AddTrust External CA Root

GET /repo/zato-0CBD7F72.pgp.asc HTTP/1.1

What does curl -v show for you? Does it say the certifiacte is for
"*.webfaction.com"?

If so, you may have an old version of curl which does not support Server
Name Indication (SNI).

Try these commands:

openssl s_client -connect zato.io:443
openssl s_client -connect zato.io:443 -servername zato.io

For me, the first gives me the *.webfaction.com certificate (and fails
validation because the intermediate CA certificate is not being
presented). But the second one verifies just fine.

Regards,

Brian Candler.

On 16/03/16 10:31, Brian Candler wrote:

What does curl -v show for you? Does it say the certifiacte is for
"*.webfaction.com"?

$ curl -v https://zato.io/repo/zato-0CBD7F72.pgp.asc

  • Hostname was NOT found in DNS cache
  • Trying 37.58.75.237…
  • Connected to zato.io (37.58.75.237) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS alert, Server hello (2):
  • SSL certificate problem: self signed certificate in certificate chain
  • Closing connection 0
    curl: (60) SSL certificate problem: self signed certificate in
    certificate chain
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default […]

If so, you may have an old version of curl which does not support
Server Name Indication (SNI).
$ curl --version

curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1k
zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL
libz TLS-SRP

As for https://curl.haxx.se/changes.html SNI is supported since version
7.18.1

Try these commands:

openssl s_client -connect zato.io:443

$ openssl s_client -connect zato.io:443

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0

Certificate chain
0 s:/OU=GT32045455/OU=See www.rapidssl.com/resources/cps
©15/OU=Domain Control Validated - RapidSSL®/CN=*.webfaction.com
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Server certificate
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIDB42NMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTEwMTIxODI0MTNaFw0xNzEyMTMwODA4NDFaMIGUMRMw
EQYDVQQLEwpHVDMyMDQ1NDU1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEZMBcGA1UEAwwQKi53ZWJmYWN0aW9uLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALWsPQ58j8Z1Sj0rF6RH
uU0nO6ZptR43/Y0dJPEK94Xft+J2O/7S6lm7nr0GU5GZQWhcn8IYbhDABlYs06po
uXsklgsc4wQqFi+1DomY//dvfrZS31XuCHKSx+Z8/32y2IrOmKKLK1rpG61iXxyR
3jZv+CriU6/sCk89s0K0OIhTIXHAqQJPb1YfHJrgXXloxFt6GfNCQlaNe7ARIflA
39Oo1meElPGcyCdEmLEgpcgn/kEO1FTXDXNf/6aQ67uyXLd0vgZC2tSdPk4C6wTW
y3X+CqJXioAmRVkDEIdPf0vPxdlR8kfo+zKuZ1ISMc9LO1PINFt05IJNqOGDGg4h
oaUCAwEAAaOCAVgwggFUMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZ
MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNv
bTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjArBgNVHREE
JDAighAqLndlYmZhY3Rpb24uY29tgg53ZWJmYWN0aW9uLmNvbTArBgNVHR8EJDAi
MCCgHqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMBAf8EAjAA
MEEGA1UdIAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3
LnJhcGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAlXfgTlmantFk
9y5NAzpdaPgj5QIKDDSrZYgEJ2pzKrrcH9JhKnmnnJ3lXDXCnZw4UN5tOHH2oyop
TaQbZrA1G6cc1Gms8vFOGDHed84NoxPHYYWlWySKyef4b19GaSrdZJTySH4IO5nt
o+ea+esJyUydPUVWfPp/pa5ercvAD7F4jZL6H5cGo+2dSn7+y8kFFxc1Wt1p696X
qtdYKCdqjXrLZ/9OY9rG7+2GZQ4nJR/ALabDQ9LubLuzikTjPN3U+nL94yN3ldXC
u5MWfjC8kEiSEXzTdL46ImM+lkAhZH1v7zjPcZlBtiFlLjrgCczgqeATEz6B5/HL
1heQxaXkeg==
-----END CERTIFICATE-----
subject=/OU=GT32045455/OU=See www.rapidssl.com/resources/cps
©15/OU=Domain Control Validated - RapidSSL®/CN=*.webfaction.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3

No client certificate CA names sent

SSL handshake has read 3809 bytes and written 415 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
1B48E4B007D7B4398A13339C9DE54FF7B35EE834A1696FF2C543945542C2615E
Session-ID-ctx:
Master-Key:
5F68E5B21D3459F2ECAA8FB6D5D0440C740AD81A50228DCC9FA73341A310FB5E17FDB14592ECFD94CB9E1E112176AD75
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - bd 7e 5a f4 45 dc 30 28-34 9d 95 fc 67 44 a7 10
.~Z.E.0(4…gD…
0010 - b2 32 d9 2d b2 28 e6 1c-d7 a1 32 54 a8 a5 d2 5f
.2.-.(…2T…_
0020 - 56 ef bb e6 05 ba ee fb-fc c2 cd 35 9f 66 2a b5
V…5.f*.
0030 - 14 33 46 34 98 a0 13 5c-c7 88 84 12 5d a4 eb d2
.3F4…]…
0040 - 6b 3f 58 3d c5 10 d0 87-b2 50 d0 35 ce 9e ca 5e
k?X=…P.5…^
0050 - 4a 90 f7 e3 b7 bc bc 1c-2d f6 5f bf d2 29 e8 70
J…-._…).p
0060 - 20 2d 81 17 72 f0 fe 6e-de d6 44 f7 fa 63 71 b1
-…r…n…D…cq.
0070 - e6 79 61 16 ec 6a 3f 94-b5 b9 a4 9c 80 44 05 66
.ya…j?..D.f
0080 - 92 b9 bc ff 06 b5 63 be-a9 ad e6 98 73 8c 6a 53
…c…s.jS
0090 - 9d fa cb 5c 16 39 69 f1-13 35 c4 f8 aa 87 e8 51
…9i…5…Q
00a0 - c3 c4 c2 1c be fa ec 8a-f2 9c 79 be 19 13 c6 12
…y…

Start Time: 1458128240
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

openssl s_client -connect zato.io:443 -servername zato.io

$openssl s_client -connect zato.io:443 -servername zato.io

CONNECTED(00000003)
depth=4 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network,
OU = http://www.usertrust.com, CN = UTN - DATACorp SGC
verify error:num=19:self signed certificate in certificate chain
verify return:0

Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=zato.io
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
4 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC

Server certificate
-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIQSRvkcjwhI7lF4tZ3RH0N1TANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTUwNDIyMDAwMDAwWhcNMTgwNDIyMjM1OTU5WjBSMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT
TDEQMA4GA1UEAxMHemF0by5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJ05nAkpHMW+CW0zC8WiPWdhEqiWaKAF7a5uiUDc/gjyiGZWmJMQZUwpLrjT
Al/m8uvyHjFyFHUzy/XqHvp0+zFFedHsc8p4naUq4aHw9KQiUpeXhbC/tJEol5LL
HoHwzilX7e15DWKgJHDcM1NkaqXr4O7Ppd+eFPvFmc5/kJKX+N92u9KCsv66AdG4
N34lk8x9XPUek4eGWwFABKE8wgB705tIzVQm9WJrecvu3DOSR7brdoRvRDqqaFmR
ACZNj8E7QEQ7J11tfKphPupXgIUsLcJuf3B5e9ruTxW51/ocAgkP7kCc4q0u/OrD
ZSm1vdRmT2rCt5thMy65xTAnjQsCAwEAAaOCAacwggGjMB8GA1UdIwQYMBaAFLOQ
p9jJr07NYTyffK1df0H9aTDqMB0GA1UdDgQWBBRqKtzCCnUC6O+EAjZdbWrisTIj
ljAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwSwYDVR0gBEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsG
AQUFBwIBFhlodHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNV
HR8EOjA4MDagNKAyhjBodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFu
ZGFyZFNTTENBMi5jcmwwcwYIKwYBBQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRw
Oi8vY3J0LnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYI
KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHwYDVR0RBBgwFoIH
emF0by5pb4ILd3d3LnphdG8uaW8wDQYJKoZIhvcNAQELBQADggEBAFe0n32M3Ayh
HDoBOTOs6+vle6kXiWpSw0/xTjOo1EG3fRNnCEsz3IUgtepy6C4JxBFaq8yAIQT9
kRDU8Bm6gNwI3UHRcvTa93cBqx/r+jzPxkydwe4Uz1iJS8whz7t05jUyGVc7FkNB
tc1LggGrmryP1oTFtwWCBuzlFuheB5dGGm/ViAeGXGVESEd8MT0byXm/7AHfK5Gr
umKze4lxECEQXpt1T9GQ1VoD4VTArtn5uYLR40aYueiJTtKIiftUMTifyu2nJDtr
XExKwK4vrsqjdghgvqUvZTOKIKgDPXclU2shRRgaHT8QIkUcQkuKp9KVjPo5B1RM
Xpc48GjuAUs=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=zato.io
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2

No client certificate CA names sent

SSL handshake has read 7135 bytes and written 431 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
2BDBF22B5F5ADB5ECC9D95A65DC6CED8B7DABB3BE6863BA9E5F85186E04A105D
Session-ID-ctx:
Master-Key:
B251C894CA1B46F65370C2ED70BBF0C0FE4588EFDA333A0D0F297A6017663148400FAAA220AC11D69289358320E24CF2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - bd 7e 5a f4 45 dc 30 28-34 9d 95 fc 67 44 a7 10
.~Z.E.0(4…gD…
0010 - 44 b8 a4 02 78 82 18 20-63 c2 41 fe c2 91 da 4c D…x…
c.A…L
0020 - 99 45 36 48 bc bd 15 9f-39 66 00 63 5f 57 98 0f
.E6H…9f.c_W…
0030 - df c5 4a 6d f4 6c dc 7f-af 40 06 55 b0 d6 c1 0a
…Jm.l…@.U…
0040 - 2d 37 de b3 9b 1b 84 6a-ee d7 f9 17 d5 bc 52 40
-7…j…R@
0050 - 41 0e b9 60 62 1e 1e ee-02 f6 b4 c4 0b a1 fb 94
A…b........... 0060 - cc d0 87 d9 fd 3b 72 c0-f2 7c d6 e8 8d c1 d9 e3 .....;r..|...... 0070 - fa 6e 11 c7 d4 c2 5a 70-45 58 33 45 8f 95 9a c5 .n....ZpEX3E.... 0080 - 65 60 bb f2 91 dd d5 0f-d5 a1 bd 42 1e 8c d9 e2 e…B…
0090 - 78 5e c0 55 88 81 f3 d3-71 ec 94 e1 eb 1e 34 fa
x^.U…q…4.
00a0 - 19 db 64 b0 f5 f5 7a 7c-9a b7 cf 52 54 44 be 78
…d…z|…RTD.x
00b0 - 1a ad c1 c2 26 e7 21 9f-91 83 9d 0e 17 9d dc cd
…&.!..

Start Time: 1458128321
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

For me, the first gives me the *.webfaction.com certificate (and fails
validation because the intermediate CA certificate is not being
presented). But the second one verifies just fine.
The results of the first one are as expected, but the second one fails.

Andrea

On 16/03/2016 11:44, Andrea Peter wrote:

The results of the first one are as expected, but the second one fails.
Interesting, looks like you are missing a root CA certificate.

Testing on an Ubuntu 14.04 box (with curl 7.35.0-1ubuntu2.6) it’s fine:

$ curl -v https://zato.io/repo/zato-0CBD7F72.pgp.asc

  • Hostname was NOT found in DNS cache
  • Trying 37.58.75.237…
  • Connected to zato.io (37.58.75.237) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server key exchange (12):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using ECDHE-RSA-AES128-GCM-SHA256
  • Server certificate:
  •  subject: OU=Domain Control Validated; OU=Gandi Standard SSL; 
    

CN=zato.io

  •  start date: 2015-04-22 00:00:00 GMT
    
  •  expire date: 2018-04-22 23:59:59 GMT
    
  •  subjectAltName: zato.io matched
    
  •  issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
    
  •  SSL certificate verify ok.
    

GET /repo/zato-0CBD7F72.pgp.asc HTTP/1.1
User-Agent: curl/7.35.0
Host: zato.io
Accept: /

< HTTP/1.1 200 OK

  • Server nginx is not blacklisted
    < Server: nginx
    < Date: Wed, 16 Mar 2016 11:50:35 GMT
    < Content-Type: application/octet-stream
    < Content-Length: 1679
    < Last-Modified: Sat, 12 Apr 2014 10:27:41 GMT
    < Connection: keep-alive
    < ETag: “5349151d-68f”
    < Accept-Ranges: bytes
    <
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFNJE40BEACl4awtZU1W8xAzcfmvLxl/HVSjW5ajnQWut2Lj5Yld30cWL7q+
HnYhzJwQMcSjeBJklIrn8oY0YL0AU+shVZYnVDBvriIpkYYbeNes0SMvZIjkEW43
KV+UaMth4wCmP3j2AvioRlmFr6rKu77fsPVZfH99z1vLzVIyXkkzlHxYE8yydMv0
Fb+K5ENPmKu4vrHTDM+B8E9UyfrTJEwa2/wEvgBDqKB/vrbtsOVzBGi7ckkkWhOt
lRWhS9GAP6yRjKugWHX4mYi+40x1/58Dj7NE0Q/b6MSCuVwDlLkDgiYuK3kukKYL
BRlOOnXmqUumYEhRrhZsxDenBPkTj7xEyNLsQLDP7X8oIVzO91tG61xEw84NJGWp
YbKaIPWbcxH2+S7N7nP4YNDqFdR8t2h3pIIqXFzjXB0rH+vccjqV3cjisqHGu4a7
+TUA3Vllt4dTc4oYsphidruMsN+6y/gdr9c5GgLULRPHfeVRwuiZx/Ld6x96fOdT
HAXB/nH9tyrL6XVEanHcEohUSL95N0AIHrdPzvPpTyTZZaKiM8ZFhHacyfhYWqB/
TaSm3Y7e+8daa+B1d9EyhjHL/wBRyXpJ0qSANr9JslaVG9GZf1ULOEbF5WXMo8UN
Ic+yWDVgOYhYvc6jpUzqsZq74bbR4DIKEIXkbmW6q9Vtdy8t4TxufleyzQARAQAB
tDVaYXRvIFJlcG8gU2lnbmluZyBLZXkgPHphdG8tcmVwby1zaWduaW5nLWtleUB6
YXRvLmlvPokCOAQTAQIAIgUCU0kTjQIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
F4AACgkQA50s4Qy9f3K1gw/+KTy6rF8hJH8FPvllhH+Xay9pzproZ+4iuuX4RMWE
9MzLKs3ATpJYOX40FaV2pZ1oZyCCvcSxuyyWql6N2ZA4UHqFzVSu7KQJY24SMqzr
82O9Nd6wQzhSqUyKGBDNAWxAMAQjSdALzsvEFsaFtL5J5cKGLuAb9I3rj4CyY3XR
jEIJb5pCgjdfq5yhmZrLTOk6Mj4+Izo+CrRXwmLBLLn/X6RT7bCMW5utNdkuBs82
VrdVlPK9D0TsZ62vAQDZZs0IzWENBnH0Q8lHYrkm27utK/PunQdeGmTXcqbi/pvu
J6dIB6shExZVQzZ8Ax65rvD2ZL69wXV+dJiJnwS1vVlY14dLqcF37jFCjsoT5SjQ
y46+H8MNYcbggKXdhO8X1Qb/g/IZfYaZYje25GsgFsGemoW+ba3Ip4K/XaBBXWFq
z6t3yKUenmi5PmHuuOB33P0b9FcVDPqnSe8K2WMb9xNekk1uktJ7cFwvIWb7RrSZ
X8/Ho3M5X6wT5a0bR2SWBtqvimKbyZ99Ry65CYzj//KpsrPLtwwdTOZnyMLe+7Ur
ZklLHnnNputwGlXaBuVe62VKwx+xr59j0CeahkRgQC+qIWuuqU6zRY+JwMZyS/Y0
REp9P7TKOChXv4LjXbco1IAgGI5Lf2BC/45c1ZxZiVcHTr5Kp81gYf8Mla0bzfnG
rU8=
=uT5U
-----END PGP PUBLIC KEY BLOCK-----

  • Connection #0 to host zato.io left intact

With:

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f
zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL
libz TLS-SRP

What OS are you using?

Cheers,

Brian.

On 16/03/16 13:05, Brian Candler wrote:

What OS are you using?
Debian Jessie

Sorry, I should have mentioned that in the first post.

On 16/03/16 13:26, Rafał Krysiak wrote:

Hello Andrea.

What Dockerfile are we talking about, exactly?
the one at https://zato.io/download/docker/quickstart/Dockerfile
What’s the exact version of your Debian Jessie?
$ uname -a

Linux A004T440 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4
(2016-02-29) x86_64 GNU/Linux
(not sure that’s what you were asking for)

On 16/03/16 13:05, Brian Candler wrote:

$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f
zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL
libz TLS-SRP

What OS are you using?

Yes, indeed is that an actual Ubuntu 12.04 LTS by Canonical or a derivative?

As of this writing curl --version is the one that Brian sent across
above rather than 7.38.0 so that alone indicates a difference in
packages/configuration.

On 16/03/2016 12:46, Andrea Peter wrote:

the one athttps://zato.io/download/docker/quickstart/Dockerfile

OK, yes that breaks for me in the same way.

The issue is with the base image it uses (not with your Jessie system),
which you can demonstrate interactively:

$ docker run -i -t --name testing --hostname testing
sequenceiq/pam:ubuntu-14.04 /bin/bash
root@testing:/# apt-get update && apt-get install -y curl
root@testing:/# curl https://zato.io/repo/zato-0CBD7F72.pgp.asc
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

root@testing:/# dpkg-query -l | grep cert
ii ca-certificates 20160104ubuntu0.14.04.1 all Common
CA certificates

Hmm. Adding the package “ssl-cert” doesn’t help.

However, if I do “apt-get dist-upgrade” (which updates 91 packages), it
works after that:

root@testing:/# curl https://zato.io/repo/zato-0CBD7F72.pgp.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFNJE40BEACl4awtZU1W8xAzcfmvLxl/HVSjW5ajnQWut2Lj5Yld30cWL7q+
HnYhzJwQMcSjeBJklIrn8oY0YL0AU+shVZYnVDBvriIpkYYbeNes0SMvZIjkEW43

So the issue seems to be that the image from sequenceiq is pretty old,
but you can work around it by fixing the Dockerfile like this:

Install helper programs used during Zato installation

RUN apt-get update && apt-get -y dist-upgrade && apt-get install -y
apt-transport-https \

After that it seems happy to me.

Cheers,

Brian.

On 16/03/16 14:59, Rafał Krysiak wrote:

Could you please, for the time being, use this Dockerfile instead:

https://raw.githubusercontent.com/zatosource/zato-build/master/docker/quickstart/Dockerfile

Let me know if the Dockerfile works for you.
Thanks Rafał, it seems to work,
in the meantime I ran out of disk space…
but the curl thing worked OK.