Docker 上的“composer install”命令失败,给出“SSL 操作失败,代码 1”错误
[英]'composer install' command fails on Docker giving 'SSL Operation Failed with code 1' error
问题描述
I am on the Windows machine, with Docker running.
我在 Windows 机器上,正在运行 Docker。 Docker image is FROM php:7.3-apache . Docker 图像FROM php:7.3-apache 。
with和
System: Linux b6df004de9df 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64
having Composer installed in this container successfully with Composer version 1.9.0 2019-08-02 20:55:32.使用 Composer 版本 1.9.0 2019-08-02 20:55:32 在此容器中成功安装 Composer。
Now, I entered into the bash of the container and entered a command $ composer init which run successfully and initialized the composer, however, upon $ composer install command, it gives an error现在,我进入容器的bash并输入命令$ composer init成功运行并初始化作曲家,但是,在$ composer install命令时,它给出了错误
[Composer\Downloader\TransportException] The " https://repo.packagist.org/packages.json " file could not be downloaded: SSL operation failed with code 1. Open SSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto failed to open stream: operation failed
As I could see its an OpenSSL error for Certificate, I tried to get exact error:正如我所看到的证书的 OpenSSL 错误,我试图得到确切的错误:
root@b6df004de9df:/var/www/html/my_JSON_proj# openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = support@zscaler.com verify error:num=20:unable to get local issuer certificate
To re-confirm, I again tried:为了再次确认,我再次尝试:
root@b6df004de9df:/var/www/html/my_JSON_proj# curl https://google.com curl: (60) SSL certificate problem: unable to get local issuer certificate
Openssl Version: OpenSSL 1.1.0k 28 May 2019 Openssl 版本:OpenSSL 1.1.0k 2019 年 5 月 28 日
Output of openssl_get_cert_locations (): openssl_get_cert_locations ()的Output:
array(8) {
["default_cert_file"]=> "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=> "SSL_CERT_FILE"
["default_cert_dir"]=> "/usr/lib/ssl/certs"
["default_cert_dir_env"]=> "SSL_CERT_DIR"
["default_private_dir"]=> "/usr/lib/ssl/private"
["default_default_cert_area"]=> "/usr/lib/ssl"
["ini_cafile"]=> ""
["ini_capath"]=> ""
}
So to solve this Solutions I tried :所以为了解决这个我试过的解决方案:
I created my localhost certificate Ref: https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how%20to%20use%20them .
我创建了我的本地主机证书参考: https://www.digicert.com/ssl-support/openssl-quick-reference-guide.htm#:~:targetText=OpenSSL%20is%20an%20open%2Dsource,and%20how% 20to%20use%20them 。 but not sure when to put that certificate so placed in /usr/local/share/ca-certifcates/ folder and tried curl https://google.com/ --cacert /usr/local/share/ca-certifcates/localhost.pem - still same error但不确定何时将该证书放在/usr/local/share/ca-certifcates/文件夹中并尝试curl https://google.com/ --cacert /usr/local/share/ca-certifcates/localhost。 pem - 仍然是同样的错误Edited my /usr/local/etc/php/php.ini php configuration file to add
编辑我的/usr/local/etc/php/php.ini php 配置文件添加
curl.cainfo="/usr/local/share/ca-certificates/localhost.pem"
openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem" just to find the - same error openssl.cafile = "/usr/local/share/ca-certificates/localhost.pem"只是为了找到 - 同样的错误
I have been trying this with no luck.我一直在尝试这个没有运气。 I have literally scanned through almost all of stack overflow posts related to curl, OpenSSL, SSL, Docker, etc and couldn't find the answer. I have literally scanned through almost all of stack overflow posts related to curl, OpenSSL, SSL, Docker, etc and couldn't find the answer.
- FURTHER UPDATES & FINDINGS进一步的更新和发现
- Surprisingly I wonder, the 'cacert.pem' the file provided at https://curl.haxx.se/ca/cacert.pem (note - http s ) to solve the SSL problem, whereas I am not able to connect to secure links, how can I even get to download pem file from https? Surprisingly I wonder, the 'cacert.pem' the file provided at https://curl.haxx.se/ca/cacert.pem (note - http s ) to solve the SSL problem, whereas I am not able to connect to secure链接,我怎么能从 https 下载 pem 文件? kinda deadlock?有点僵局? Anyways, so I tried to download using
wget http://curl.haxx.se/ca/cacert.pema non-secure way to get the pem file and I got the output as:无论如何,所以我尝试使用wget http://curl.haxx.se/ca/cacert.pem下载获取 pem 文件的非安全方式,我得到了 output 为:
- Surprisingly I wonder, the 'cacert.pem' the file provided at https://curl.haxx.se/ca/cacert.pem (note - http s ) to solve the SSL problem, whereas I am not able to connect to secure links, how can I even get to download pem file from https?
root@b6df004de9df:/usr/local/etc/openssl# wget http://curl.haxx.se/ca/cacert.pem
--2019-11-08 10:21:30-- http://curl.haxx.se/ca/cacert.pem
Resolving curl.haxx.se (curl.haxx.se)... 151.101.38.49, 2a04:4e42:9::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://curl.haxx.se/ca/cacert.pem [following]
--2019-11-08 10:21:31-- https://curl.haxx.se/ca/cacert.pem
Connecting to curl.haxx.se (curl.haxx.se)|151.101.38.49|:443... connected.
ERROR: The certificate of 'curl.haxx.se' is not trusted.
ERROR: The certificate of 'curl.haxx.se' hasn't got a known issuer.
And since its a Linux server and no GUI available, so seems an only possible way for me to download is via Terminal, not a browser.而且由于它是一个 Linux 服务器并且没有可用的 GUI,所以我下载的唯一可能方法是通过终端,而不是浏览器。
That being said, I manually created cacert.pem file and entered content in it from curl.haxx.se.话虽如此,我手动创建了 cacert.pem 文件并从 curl.haxx.se 在其中输入了内容。 And then updated php.ini with the following changes and restarted the apache server.然后使用以下更改更新 php.ini 并重新启动 apache 服务器。
curl.cainfo: /usr/local/etc/openssl/cacert.pem & openssl.cafile: /usr/local/etc/openssl/cacert.pem Still - curl: (60) SSL certificate problem: unable to get local issuer certificate curl.cainfo: /usr/local/etc/openssl/cacert.pem & openssl.cafile: /usr/local/etc/openssl/cacert.pem Still - curl: (60) SSL certificate problem: unable to get local issuer certificate
Updated php.ini for curl.cainfo and openssl.cafile with "/usr/lib/ssl/cert.pem" as its "default_cert_file" according to 'openssl_get_cert_locations()'.
为 curl.cainfo 和 openssl.cafile 更新了 php.ini Restarted apache server.重新启动 apache 服务器。 Tried with curl https://www.google.com- Still curl: (60) SSL certificate problem: unable to get local issuer certificateTried with curl https://www.google.com- Still curl: (60) SSL certificate problem: unable to get local issuer certificateCreated a new directory 'ssl' as it was not present already and assuming, By default, the OpenSSL directory is
/usr/local/ssl.创建了一个新目录“ssl”,因为它还没有存在,并假设默认情况下,OpenSSL 目录是/usr/local/ssl。 Created cacert.pem file in that folder.在该文件夹中创建了 cacert.pem 文件。 Updated curl.cainfo and openssl.cafile entries in php.ini with this new updated path.使用这个新的更新路径更新了 php.ini 中的 curl.cainfo 和 openssl.cafile 条目。 To be on a safer side, executed update-ca-certificates --freshjust in case.为了更安全,执行update-ca-certificates --fresh以防万一。 Restarted the apache server.重启 apache 服务器。 Tried with curl https://www.google.com- Still curl: (60) SSL certificate problem: unable to get local issuer certificateTried with curl https://www.google.com- Still curl: (60) SSL certificate problem: unable to get local issuer certificate
On side note full output of cURL command :在旁注完整的 output 的 cURL 命令:
root@b6df004de9df:/usr/lib/ssl/certs# curl https://thawte.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
root@b6df004de9df:/usr/lib/ssl/certs# openssl s_client -connect thawte.com:443
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net)
, emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Utah/
L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
pport@zscaler.com
2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net)/emailAddress=su
pport@zscaler.com
i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/emailAddress=support@zscaler.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIQv2zANBgkqhkiG9w0XcVFbs+k59YwRwR4v+pBAQsFADCB
jTELMAkMxEzARBgNVBAgGA1UEBhMCVVTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpz
... few more lines ...
vxrc40H5bMPW/NgnBjRtUEPnAx9b3ll/sj3KfhbxU0bgnEYNMLb+nwnK6NDZRFpC
5E3fG+TFc9ehaBcF5xWttKz28Wr2nUUhMLhC
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Utah/serialNumber=5299537-0142/C=US/ST=Ut
ah/L=Lehi/O=DigiCert, Inc./OU=IT/CN=thawte.com
issuer=/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4270 bytes and written 326 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 06D54188D4F60C7746664262F72361EFE8DC728E9D37FDB25641A28C226DE83C3C574C781A0E4A268A7AEB6187EF54BF
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573209517
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
read:errno=0
Current DockerFile using to build the image:当前 DockerFile 用于构建镜像:
FROM php:7.3-apache
RUN docker-php-ext-install mysql mysqli
RUN apt-get update -y && apt-get install -y sendmail libpng-dev
RUN apt-get update && \
apt-get install -y \
zlib1g-dev
libbz2-dev \
libfreetype6-dev \
libjpeg62-turbo-dev \
libpng12-dev \
libxpm-dev \
libvpx-dev \
libmcrypt-dev \
libmemcached-dev \
&& \
RUN docker-php-ext-install mbstring
RUN docker-php-ext-install zip
RUN docker-php-ext-install gd
RUN docker-php-ext-install opcache
RUN docker-php-ext-install \
bcmath \
bz2 \
exif \
ftp \
gd \
gettext \
mbstring \
mcrypt \
mysqli \
opcache \
pdo_mysql \
shmop \
sockets \
sysvmsg \
sysvsem \
sysvshm \
zip \
p7zip-full \
&& \
3 个解决方案
解决方案1
1 已采纳 2019-11-12 09:20:04
Finally, got the issue sorted out.终于把问题解决了。 Actually, I never had to set the curl.cainfo OR openssl.cafile or any other updates for that matter like downloading the certificate to use in container etc. After I create a Self Signed Certificate , I had to Configure Apache to Use SSL and Make those changes related SSL into Apache server and we're all set. Actually, I never had to set the curl.cainfo OR openssl.cafile or any other updates for that matter like downloading the certificate to use in container etc. After I create a Self Signed Certificate , I had to Configure Apache to Use SSL and Make这些更改与 SSL 到 Apache 服务器相关,我们都准备好了。
解决方案2
0 2019-11-10 01:01:37
You may try:你可以试试:
1.Add this to your Dockerfile and build the image again 1.将此添加到您的 Dockerfile 并再次构建映像
RUN apt-get update && apt-get install -y libssl-dev
RUN apt-get install -y libcurl4-gnutls-dev
RUN apt-get install -y libcurl4-openssl-dev
RUN apt-get install -y libcurl4
2.Download certificate via browser, and copy it to the container read about Mount volume (-v, --read-only) 2.通过浏览器下载证书,并将其复制到容器中读取有关挂载卷(-v,--read-only)
3.use wget in insecure mode (not recommended) - use flag --no-check-certificate 3. 在不安全模式下使用 wget(不推荐) - 使用标志--no-check-certificate
解决方案3
0 2021-11-17 20:51:40
I think you are behind a proxy (Zscaler), try getting the certificates and update them, steps here: https://stackoverflow.com/a/70011298/5078874我认为您在代理(Zscaler)后面,尝试获取证书并更新它们,步骤如下: https://stackoverflow.com/a/70011298/5078874
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.