HTTPS requests in a container don't work

Hi everyone,
I’ve foudn a few similar posts, but no answers that work for me. I cannot get HTTPS requests working inside locally running containers. My company uses ZScaler, but no one else has this issue. Seems like Docker might not be using the ZScaler cert. Here’s what I’m trying:

docker run -it maven:3.9-amazoncorretto-20 bash 
bash-4.2# yum update -y
Loaded plugins: ovl, priorities
https://yum.corretto.aws/aarch64/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: unable to get local issuer certificate"
Trying other mirror.
https://cdn.amazonlinux.com/2/core/2.0/aarch64/3dd2cc02a0909d35ada8de88675e34b826187bbb822cdf42454cabe6bfc2d6a7/repodata/repomd.xml?instance_id=timeout&region=unknown: [Errno 14] curl#60 - "SSL certificate problem: unable to get local issuer certificate"

OS Version = Ventura 13.5
Docker Desktop Version = 4.22.1

The error that stands out is

“SSL certificate problem: unable to get local issuer certificate”

Anyone got any ideas? The requests work fine outside of Docker

Is ZScaler performing TLS inspection?

If this is the case, the certificate of the CA the ZScaler uses to issue ad-hoc certificates would need to be present in the container as well.

You can check yourself by running the command from the first line:

docker run -it --rm maven:3.9-amazoncorretto-20 curl --verbose "https://cdn.amazonlinux.com/2/core/2.0/aarch64/3dd2cc02a0909d35ada8de88675e34b826187bbb822cdf42454cabe6bfc2d6a7/repodata/repomd.xml?instance_id=timeout&region=unknown"
*   Trying 54.230.206.64:443...
* Connected to cdn.amazonlinux.com (54.230.206.64) port 443 (#0)
* ALPN: offers h2,http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cdn.amazonlinux.com
*  start date: Feb 28 00:00:00 2023 GMT
*  expire date: Nov  3 23:59:59 2023 GMT
*  subjectAltName: host "cdn.amazonlinux.com" matched cert's "cdn.amazonlinux.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
*  SSL certificate verify ok.
...

I expect the issuer to be different in your output.

Thanks for your help :slight_smile:

This is what I get

docker run -it --rm maven:3.9-amazoncorretto-20 curl --verbose "https://cdn.amazonlinux.com/2/core/2.0/aarch64/3dd2cc02a0909d35ada8de88675e34b826187bbb822cdf42454cabe6bfc2d6a7/repodata/repomd.xml?instance_id=timeout&region=unknown"

*   Trying 18.172.153.95:443...
* Connected to cdn.amazonlinux.com (18.172.153.95) port 443 (#0)
* ALPN: offers h2,http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

Finally figured it out. The ZScaler cert needed to be copied into /etc/pki/ca-trust/source/anchors/Zscaler Root CA.crt, then update-ca-trust extract needed to be executed (this is for Amazon Linux distros)

1 Like

Yep, that’s the common solution if TLS inspection is used.

I just realized I forgot to respond to your previous post. I am surprised the curl tries to take the information from the issuer certificate itself instead of using the information embedded into the x509 certificate.