Docker Windows Composer ZScaler SSL证书验证失败 [英] Docker Windows Composer ZScaler SSL Certificate Verify Failed

问题描述

我正在Windows 10企业版计算机上运行Docker Windows(Linux容器).我正在使用基于Debian的Docker映像，并且Windows桌面正在运行ZScaler.

I'm running Docker Windows (linux containers) on a windows 10 enterprise box. I'm working with a Docker image based on Debian and my windows desktop is running ZScaler.

为我提供了两个证书文件(一个根证书和一个中间证书)，我将它们放在/usr/local/share/ca-certificates目录中并运行出现的"update-ca-certificates"来安装安装证书.

I was provided two certificate files (a root cert and an intermediate cert), which I installed by putting them into the /usr/local/share/ca-certificates directory, and running 'update-ca-certificates' which appears to install the certs.

当我尝试运行composer diag时，得到以下输出:

When I attempt to run composer diag, I get the following output:

composer diag
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: [Composer\Downloader\TransportException] The "https://repo.packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking github.com rate limit: FAIL
[Composer\Downloader\TransportException] The "https://api.github.com/rate_limit" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: <Omitted
Dev Public Key Fingerprint: <Omitted
OK
Checking composer version:

  [Composer\Downloader\TransportException]
  The "https://getcomposer.org/versions" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
  error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
  Failed to enable crypto
  failed to open stream: operation failed


diagnose

有人可以帮我弄清楚如何使它工作吗?

Can someone help me figure out how to get this working?

推荐答案

在我的情况下，根证书未正确安装...企业提供的证书的中间名称为.crt，而.cer为根证书.update-ca-certificates没有选择名为.cer的证书.重命名根证书并重新运行update-ca-certificates已安装根证书并解决了该问题.

In my case, the root certificate had not been installed properly... the certs provided by the enterprise had the name .crt for the intermediate and .cer for the root cert. update-ca-certificates wasn't picking up the cert named .cer. Renaming the root cert and re-running update-ca-certificates installed the root cert and fixed the issue.

运行以下命令有助于解决问题:

Running the following command helped figure out the issue:

CONNECTED(00000003)
depth=2 DC = com, DC = my-enterprise, DC = ent, CN = ca-intermediate
verify error:num=2:unable to get issuer certificate
issuer= DC = pvt, DC = my-enterprise, CN = ca-rootauth
verify return:1
depth=1 C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com
issuer= DC = com, DC = my-enterprise, DC = ent, CN = ca-intermediate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
issuer= C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
   i:C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com

这表明根证书未被识别为有效的CA，并导致我列出了openssl识别的证书..我在这里找到了答案: https://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates

This revealed the root cert was not recognized as a valid CA and led me to list the certs recognized by openssl.. I found the answer for that here: https://unix.stackexchange.com/questions/97244/list-all-available-ssl-ca-certificates

一旦我列出并验证了CA信任列表中不存在ca-rootauth，那么只需弄清楚为什么两个(根和中间)工作方式不同...

once I listed and verified that the ca-rootauth didn't exist in the CA trusted list, then it was just a matter of figuring out why the two (root and intermediate) worked differently...

这篇关于Docker Windows Composer ZScaler SSL证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！