Trouble With Getting Started Example

Docker Desktop for Windows
1

Hi All
I’m kicking the tires on Docker via Docker CE in a Windows 10 environment on a corporate network. Although we don’t have a proxy server specified, we do rely on a security product (like websense, Cisco Umbrella/OpenDNS etc.) to filter Internet traffic. As such certificates are deployed to all machines, including my test one.

I’m running into trouble with the Dockerfile example in ‘Getting Stated’ that results SSL errors likely caused by a missing certificate:

C:\Docker\Test002> docker build -t friendlyhello .
Sending build context to Docker daemon  15.36kB
Step 1/7 : FROM python:2.7-slim
 ---> c9cde4658340
Step 2/7 : WORKDIR /app
 ---> Using cache
 ---> c570d71b1f6c
Step 3/7 : COPY . /app
 ---> 0d682d003827
Step 4/7 : RUN pip install --trusted-host pypi.python.org -r requirements.txt -vvv
 ---> Running in 641ffb893082
Created temporary directory: /tmp/pip-ephem-wheel-cache-rvqoGt
Created temporary directory: /tmp/pip-req-tracker-tWS3rt
Created requirements tracker '/tmp/pip-req-tracker-tWS3rt'
Created temporary directory: /tmp/pip-install-8mKMQX
Collecting Flask (from -r requirements.txt (line 1))
  1 location(s) to search for versions of Flask:
  * https://pypi.org/simple/flask/
  Getting page https://pypi.org/simple/flask/
  Looking up "https://pypi.org/simple/flask/" in the cache
  No cache entry available
  Starting new HTTPS connection (1): pypi.org:443
  Incremented Retry for (url='/simple/flask/'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
  Starting new HTTPS connection (2): pypi.org:443
  Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
  Incremented Retry for (url='/simple/flask/'): Retry(total=3, connect=None, read=None, redirect=None, status=None)
  Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
  Starting new HTTPS connection (3): pypi.org:443
  Incremented Retry for (url='/simple/flask/'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
  Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
  Starting new HTTPS connection (4): pypi.org:443
  Incremented Retry for (url='/simple/flask/'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
  Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
  Starting new HTTPS connection (5): pypi.org:443
  Incremented Retry for (url='/simple/flask/'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
  Starting new HTTPS connection (6): pypi.org:443
  Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
  Could not fetch URL https://pypi.org/simple/flask/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/flask/ (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)) - skipping
  Could not find a version that satisfies the requirement Flask (from -r requirements.txt (line 1)) (from versions: )
Cleaning up...
Removed build tracker '/tmp/pip-req-tracker-tWS3rt'
No matching distribution found for Flask (from -r requirements.txt (line 1))
Exception information:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/basecommand.py", line 141, in main
    status = self.run(options, args)
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/commands/install.py", line 299, in run
    resolver.resolve(requirement_set)
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/resolve.py", line 102, in resolve
    self._resolve_one(requirement_set, req)
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/resolve.py", line 256, in _resolve_one
    abstract_dist = self._get_abstract_dist_for(req_to_install)
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/resolve.py", line 209, in _get_abstract_dist_for
    self.require_hashes
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/operations/prepare.py", line 218, in prepare_linked_requirement
    req.populate_link(finder, upgrade_allowed, require_hashes)
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/req/req_install.py", line 308, in populate_link
    self.link = finder.find_requirement(self, upgrade)
  File "/usr/local/lib/python2.7/site-packages/pip/_internal/index.py", line 543, in find_requirement
    'No matching distribution found for %s' % req
DistributionNotFound: No matching distribution found for Flask (from -r requirements.txt (line 1))
1 location(s) to search for versions of pip:
* https://pypi.org/simple/pip/
Getting page https://pypi.org/simple/pip/
Looking up "https://pypi.org/simple/pip/" in the cache
No cache entry available
Starting new HTTPS connection (1): pypi.org:443
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)) - skipping
The command '/bin/sh -c pip install --trusted-host pypi.python.org -r requirements.txt -vvv' returned a non-zero code: 1

I exported the certificates from my Windows machine in Base64 format into the same directory as the Dockerfile, renamed the extensions from .cer to .crt, then added some new lines to copy the certs and import them like this:

    # Use an official Python runtime as a parent image
    FROM python:2.7-slim

    # Set the working directory to /app
    WORKDIR /app

    # Copy the current directory contents into the container at /app
    COPY . /app

    # Copy certs
    COPY ./B64-cert1.crt /usr/local/share/ca-certificates/B64-cert1.crt
    COPY ./B64-cert2.crt /usr/local/share/ca-certificates/B64-cert2.crt

    # Import
    RUN update-ca-certificates

    # Install any needed packages specified in requirements.txt
    RUN pip install --trusted-host pypi.python.org -r requirements.txt

    # Make port 80 available to the world outside this container
    EXPOSE 80

    # Define environment variable
    ENV NAME World

    # Run app.py when the container launches
    CMD ["python", "app.py"]

Although it appears to work in that certs were added and no errors in the new code:

# Use an official Python runtime as a parent image
FROM python:2.7-slim

Step 4/10 : COPY ./B64-cert1.crtt /usr/local/share/ca-certificates/B64-cert1.crt
---> ed9bc47a4986
Step 5/10 : COPY ./B64-cert2.crt /usr/local/share/ca-certificates/B64-cert2.crt
---> 339c31176187
Step 6/10 : RUN update-ca-certificates
---> Running in bf560fea442f
Updating certificates in /etc/ssl/certs...
4 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container bf560fea442f
---> 0f1e8a45784e
Step 7/10 : RUN pip install --trusted-host pypi.python.org -r requirements.txt -vvv
---> Running in 13eb604540c0

But I’m still seeing the same set of SSL certificate errors.

It’s not clear to me what I’m doing wrong or what else is missing in order to get this to work.

Any guidance is greatly appreciated.

2

Hi juliuspiv !

I am pretty sure you already solved this issue on your own but I would like to post how I solved it

I am also working inside a corporate network that its protected with security equipment. Thus, this security configuration always adds some extra SSL certificates to every resource we request from internet.

In my development computer (Windows 10) I updated the “Dockerfile” like this:

# Install any needed packages specified in requirements.txt
> RUN pip install --trusted-host pypi.python.org --trusted-host pypi.org --trusted-host files.pythonhosted.org -r requirements.txt

In my test environment (Linux CentOS 7) I did the following:

  1. Download the extra SSL certificates (added by our corporate security equipment) in 64 base and save them with a crt extension. (for example SSLExtraCert01.crt)

  2. Copy those extra SSL certificates to the /etc/pki/ca-trust/source/anchors/ directory

  3. Run the following command: sudo update-ca-trust

3

The trusted-host options worked for me but only certain packages. For instance, flask and requests work fine:

RUN pip install flask --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org
RUN pip install requests --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org

but

Numpy and Pandas do not:

RUN pip install pandas --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org
RUN pip install nuumpy --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org

both give me self signed certificate error.

The trusted-host problem solved my issues with corporate network security on windows. Not sure why it won’t in Docker. Any ideas?