[英]'composer install' command fails on Docker giving 'SSL Operation Failed with code 1' error
I am on the Windows machine, with Docker running.我在 Windows 机器上,正在运行 Docker。 Docker image is FROM php:7.3-apache
. Docker 图像FROM php:7.3-apache
。
with和
System: Linux b6df004de9df 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64系统:Linux b6df004de9df 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
having Composer installed in this container successfully with Composer version 1.9.0 2019-08-02 20:55:32.使用 Composer 版本 1.9.0 2019-08-02 20:55:32 在此容器中成功安装 Composer。
Now, I entered into the bash
of the container and entered a command $ composer init which run successfully and initialized the composer, however, upon $ composer install command, it gives an error现在,我进入容器的bash
并输入命令$ composer init成功运行并初始化作曲家,但是,在$ composer install命令时,它给出了错误
[Composer\Downloader\TransportException] The " https://repo.packagist.org/packages.json " file could not be downloaded: SSL operation failed with code 1. Open SSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [Composer\Downloader\TransportException] The " https://repo.packagist.org/packages.json " file could not be downloaded: SSL operation failed with code 1. Open SSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:证书验证失败
Failed to enable crypto failed to open stream: operation failed启用加密失败 无法打开 stream:操作失败
As I could see its an OpenSSL error for Certificate, I tried to get exact error:正如我所看到的证书的 OpenSSL 错误,我试图得到确切的错误:
root@b6df004de9df:/var/www/html/my_JSON_proj# openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = support@zscaler.com verify error:num=20:unable to get local issuer certificate root@b6df004de9df:/var/www/html/my_JSON_proj# openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc. , CN = Zscaler 中间根 CA (zscalertwo.net), emailAddress = support@zscaler.com验证错误:num=20:无法获取本地颁发者证书
To re-confirm, I again tried:为了再次确认,我再次尝试:
root@b6df004de9df:/var/www/html/my_JSON_proj# curl https://google.com curl: (60) SSL certificate problem: unable to get local issuer certificate root@b6df004de9df:/var/www/html/my_JSON_proj# curl https://google.com curl: (60) SSL certificate problem: unable to get local issuer certificate
Openssl Version: OpenSSL 1.1.0k 28 May 2019 Openssl 版本:OpenSSL 1.1.0k 2019 年 5 月 28 日
Output of openssl_get_cert_locations (): openssl_get_cert_locations ()的Output:
array(8) {
["default_cert_file"]=> "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=> "SSL_CERT_FILE"
["default_cert_dir"]=> "/usr/lib/ssl/certs"
["default_cert_dir_env"]=> "SSL_CERT_DIR"
["default_private_dir"]=> "/usr/lib/ssl/private"
["default_default_cert_area"]=> "/usr/lib/ssl"
["ini_cafile"]=> ""
["ini_capath"]=> ""
}
So to solve this Solutions I tried :所以为了解决这个我试过的解决方案:
I created my localhost certificate Ref: https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how%20to%20use%20them .我创建了我的本地主机证书参考: https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how% 20to%20use%20them 。 but not sure when to put that certificate so placed in /usr/local/share/ca-certifcates/ folder and tried curl https://google.com/ --cacert /usr/local/share/ca-certifcates/localhost.pem - still same error但不确定何时将该证书放在/usr/local/share/ca-certifcates/文件夹中并尝试curl https://google.com/ --cacert /usr/local/share/ca-certifcates/localhost。 pem - 仍然是同样的错误
Edited my /usr/local/etc/php/php.ini php configuration file to add编辑我的/usr/local/etc/php/php.ini php 配置文件添加
curl.cainfo="/usr/local/share/ca-certificates/localhost.pem"
openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem"
just to find the - same error openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem"
只是为了找到 - 同样的错误
I have been trying this with no luck.我一直在尝试这个没有运气。 I have literally scanned through almost all of stack overflow posts related to curl, OpenSSL, SSL, Docker, etc and couldn't find the answer. I have literally scanned through almost all of stack overflow posts related to curl, OpenSSL, SSL, Docker, etc and couldn't find the answer.
wget http://curl.haxx.se/ca/cacert.pem
a non-secure way to get the pem file and I got the output as:无论如何,所以我尝试使用wget http://curl.haxx.se/ca/cacert.pem
下载获取 pem 文件的非安全方式,我得到了 output 为:root@b6df004de9df:/usr/local/etc/openssl# wget http://curl.haxx.se/ca/cacert.pem
--2019-11-08 10:21:30-- http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se (curl.haxx.se)... 151.101.38.49, 2a04:4e42:9::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://curl.haxx.se/ca/cacert.pem [following]
--2019-11-08 10:21:31-- https://curl.haxx.se/ca/cacert.pem
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:443... connected.
ERROR: The certificate of 'curl.haxx.se' is not trusted.
ERROR: The certificate of 'curl.haxx.se' hasn't got a known issuer.
And since its a Linux server and no GUI available, so seems an only possible way for me to download is via Terminal, not a browser.而且由于它是一个 Linux 服务器并且没有可用的 GUI,所以我下载的唯一可能方法是通过终端,而不是浏览器。
That being said, I manually created cacert.pem file and entered content in it from curl.haxx.se.话虽如此,我手动创建了 cacert.pem 文件并从 curl.haxx.se 在其中输入了内容。 And then updated php.ini with the following changes and restarted the apache server.然后使用以下更改更新 php.ini 并重新启动 apache 服务器。
curl.cainfo: /usr/local/etc/openssl/cacert.pem
& openssl.cafile: /usr/local/etc/openssl/cacert.pem
Still - curl: (60) SSL certificate problem: unable to get local issuer certificate curl.cainfo: /usr/local/etc/openssl/cacert.pem
& openssl.cafile: /usr/local/etc/openssl/cacert.pem
Still - curl: (60) SSL certificate problem: unable to get local issuer certificate
Updated php.ini for curl.cainfo and openssl.cafile with "/usr/lib/ssl/cert.pem" as its "default_cert_file" according to 'openssl_get_cert_locations()'.为 curl.cainfo 和 openssl.cafile 更新了 php.ini Restarted apache server.重新启动 apache 服务器。 Tried with curl https://www.google.com
- Still curl: (60) SSL certificate problem: unable to get local issuer certificate Tried with curl https://www.google.com
- Still curl: (60) SSL certificate problem: unable to get local issuer certificate
Created a new directory 'ssl' as it was not present already and assuming, By default, the OpenSSL directory is /usr/local/ssl
.创建了一个新目录“ssl”,因为它还没有存在,并假设默认情况下,OpenSSL 目录是/usr/local/ssl
。 Created cacert.pem file in that folder.在该文件夹中创建了 cacert.pem 文件。 Updated curl.cainfo and openssl.cafile entries in php.ini with this new updated path.使用这个新的更新路径更新了 php.ini 中的 curl.cainfo 和 openssl.cafile 条目。 To be on a safer side, executed update-ca-certificates --fresh
just in case.为了更安全,执行update-ca-certificates --fresh
以防万一。 Restarted the apache server.重启 apache 服务器。 Tried with curl https://www.google.com
- Still curl: (60) SSL certificate problem: unable to get local issuer certificate Tried with curl https://www.google.com
- Still curl: (60) SSL certificate problem: unable to get local issuer certificate
On side note full output of cURL command :在旁注完整的 output 的 cURL 命令:
root@b6df004de9df:/usr/lib/ssl/certs# curl https://thawte.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root@b6df004de9df:/usr/lib/ssl/certs# openssl s_client -connect thawte.com:443
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net)
, emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Utah/
L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
pport@zscaler.com
2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
pport@zscaler.com
i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/emailAddress=support@zscaler.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQv2zANBgkqhkiG9w0XcVFbs+k59YwRwR4v+pBAQsFADCB
jTELMAkMxEzARBgNVBAgGA1UEBhMCVVTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpz
... few more lines ...
vxrc40H5bMPW/NgnBjRtUEPnAx9b3ll/sj3KfhbxU0bgnEYNMLb+nwnK6NDZRFpC
5E3fG+TFc9ehaBcF5xWttKz28Wr2nUUhMLhC
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Ut
ah/L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
issuer=/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4270 bytes and written 326 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 06D54188D4F60C7746664262F72361EFE8DC728E9D37FDB25641A28C226DE83C3C574C781A0E4A268A7AEB6187EF54BF
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573209517
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
read:errno=0
Current DockerFile using to build the image:当前 DockerFile 用于构建镜像:
FROM php:7.3-apache
RUN docker-php-ext-install mysql mysqli
RUN apt-get update -y && apt-get install -y sendmail libpng-dev
RUN apt-get update && \
apt-get install -y \
zlib1g-dev
libbz2-dev \
libfreetype6-dev \
libjpeg62-turbo-dev \
libpng12-dev \
libxpm-dev \
libvpx-dev \
libmcrypt-dev \
libmemcached-dev \
&& \
RUN docker-php-ext-install mbstring
RUN docker-php-ext-install zip
RUN docker-php-ext-install gd
RUN docker-php-ext-install opcache
RUN docker-php-ext-install \
bcmath \
bz2 \
exif \
ftp \
gd \
gettext \
mbstring \
mcrypt \
mysqli \
opcache \
pdo_mysql \
shmop \
sockets \
sysvmsg \
sysvsem \
sysvshm \
zip \
p7zip-full \
&& \
Finally, got the issue sorted out.终于把问题解决了。 Actually, I never had to set the curl.cainfo
OR openssl.cafile
or any other updates for that matter like downloading the certificate to use in container etc. After I create a Self Signed Certificate , I had to Configure Apache to Use SSL and Make those changes related SSL into Apache server and we're all set. Actually, I never had to set the curl.cainfo
OR openssl.cafile
or any other updates for that matter like downloading the certificate to use in container etc. After I create a Self Signed Certificate , I had to Configure Apache to Use SSL and Make这些更改与 SSL 到 Apache 服务器相关,我们都准备好了。
You may try:你可以试试:
1.Add this to your Dockerfile and build the image again 1.将此添加到您的 Dockerfile 并再次构建映像
RUN apt-get update && apt-get install -y libssl-dev
RUN apt-get install -y libcurl4-gnutls-dev
RUN apt-get install -y libcurl4-openssl-dev
RUN apt-get install -y libcurl4
2.Download certificate via browser, and copy it to the container read about Mount volume (-v, --read-only) 2.通过浏览器下载证书,并将其复制到容器中读取有关挂载卷(-v,--read-only)
3.use wget in insecure mode (not recommended) - use flag --no-check-certificate
3. 在不安全模式下使用 wget(不推荐) - 使用标志--no-check-certificate
I think you are behind a proxy (Zscaler), try getting the certificates and update them, steps here: https://stackoverflow.com/a/70011298/5078874我认为您在代理(Zscaler)后面,尝试获取证书并更新它们,步骤如下: https://stackoverflow.com/a/70011298/5078874
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.