Hi All
I’m kicking the tires on Docker via Docker CE in a Windows 10 environment on a corporate network. Although we don’t have a proxy server specified, we do rely on a security product (like websense, Cisco Umbrella/OpenDNS etc.) to filter Internet traffic. As such certificates are deployed to all machines, including my test one.
I’m running into trouble with the Dockerfile example in ‘Getting Stated’ that results SSL errors likely caused by a missing certificate:
C:\Docker\Test002> docker build -t friendlyhello .
Sending build context to Docker daemon 15.36kB
Step 1/7 : FROM python:2.7-slim
---> c9cde4658340
Step 2/7 : WORKDIR /app
---> Using cache
---> c570d71b1f6c
Step 3/7 : COPY . /app
---> 0d682d003827
Step 4/7 : RUN pip install --trusted-host pypi.python.org -r requirements.txt -vvv
---> Running in 641ffb893082
Created temporary directory: /tmp/pip-ephem-wheel-cache-rvqoGt
Created temporary directory: /tmp/pip-req-tracker-tWS3rt
Created requirements tracker '/tmp/pip-req-tracker-tWS3rt'
Created temporary directory: /tmp/pip-install-8mKMQX
Collecting Flask (from -r requirements.txt (line 1))
1 location(s) to search for versions of Flask:
* https://pypi.org/simple/flask/
Getting page https://pypi.org/simple/flask/
Looking up "https://pypi.org/simple/flask/" in the cache
No cache entry available
Starting new HTTPS connection (1): pypi.org:443
Incremented Retry for (url='/simple/flask/'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
Starting new HTTPS connection (2): pypi.org:443
Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Incremented Retry for (url='/simple/flask/'): Retry(total=3, connect=None, read=None, redirect=None, status=None)
Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Starting new HTTPS connection (3): pypi.org:443
Incremented Retry for (url='/simple/flask/'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Starting new HTTPS connection (4): pypi.org:443
Incremented Retry for (url='/simple/flask/'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Starting new HTTPS connection (5): pypi.org:443
Incremented Retry for (url='/simple/flask/'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
Starting new HTTPS connection (6): pypi.org:443
Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Could not fetch URL https://pypi.org/simple/flask/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/flask/ (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)) - skipping
Could not find a version that satisfies the requirement Flask (from -r requirements.txt (line 1)) (from versions: )
Cleaning up...
Removed build tracker '/tmp/pip-req-tracker-tWS3rt'
No matching distribution found for Flask (from -r requirements.txt (line 1))
Exception information:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/pip/_internal/basecommand.py", line 141, in main
status = self.run(options, args)
File "/usr/local/lib/python2.7/site-packages/pip/_internal/commands/install.py", line 299, in run
resolver.resolve(requirement_set)
File "/usr/local/lib/python2.7/site-packages/pip/_internal/resolve.py", line 102, in resolve
self._resolve_one(requirement_set, req)
File "/usr/local/lib/python2.7/site-packages/pip/_internal/resolve.py", line 256, in _resolve_one
abstract_dist = self._get_abstract_dist_for(req_to_install)
File "/usr/local/lib/python2.7/site-packages/pip/_internal/resolve.py", line 209, in _get_abstract_dist_for
self.require_hashes
File "/usr/local/lib/python2.7/site-packages/pip/_internal/operations/prepare.py", line 218, in prepare_linked_requirement
req.populate_link(finder, upgrade_allowed, require_hashes)
File "/usr/local/lib/python2.7/site-packages/pip/_internal/req/req_install.py", line 308, in populate_link
self.link = finder.find_requirement(self, upgrade)
File "/usr/local/lib/python2.7/site-packages/pip/_internal/index.py", line 543, in find_requirement
'No matching distribution found for %s' % req
DistributionNotFound: No matching distribution found for Flask (from -r requirements.txt (line 1))
1 location(s) to search for versions of pip:
* https://pypi.org/simple/pip/
Getting page https://pypi.org/simple/pip/
Looking up "https://pypi.org/simple/pip/" in the cache
No cache entry available
Starting new HTTPS connection (1): pypi.org:443
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)'),)) - skipping
The command '/bin/sh -c pip install --trusted-host pypi.python.org -r requirements.txt -vvv' returned a non-zero code: 1
I exported the certificates from my Windows machine in Base64 format into the same directory as the Dockerfile, renamed the extensions from .cer to .crt, then added some new lines to copy the certs and import them like this:
# Use an official Python runtime as a parent image
FROM python:2.7-slim
# Set the working directory to /app
WORKDIR /app
# Copy the current directory contents into the container at /app
COPY . /app
# Copy certs
COPY ./B64-cert1.crt /usr/local/share/ca-certificates/B64-cert1.crt
COPY ./B64-cert2.crt /usr/local/share/ca-certificates/B64-cert2.crt
# Import
RUN update-ca-certificates
# Install any needed packages specified in requirements.txt
RUN pip install --trusted-host pypi.python.org -r requirements.txt
# Make port 80 available to the world outside this container
EXPOSE 80
# Define environment variable
ENV NAME World
# Run app.py when the container launches
CMD ["python", "app.py"]
Although it appears to work in that certs were added and no errors in the new code:
# Use an official Python runtime as a parent image
FROM python:2.7-slim
Step 4/10 : COPY ./B64-cert1.crtt /usr/local/share/ca-certificates/B64-cert1.crt
---> ed9bc47a4986
Step 5/10 : COPY ./B64-cert2.crt /usr/local/share/ca-certificates/B64-cert2.crt
---> 339c31176187
Step 6/10 : RUN update-ca-certificates
---> Running in bf560fea442f
Updating certificates in /etc/ssl/certs...
4 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container bf560fea442f
---> 0f1e8a45784e
Step 7/10 : RUN pip install --trusted-host pypi.python.org -r requirements.txt -vvv
---> Running in 13eb604540c0
But I’m still seeing the same set of SSL certificate errors.
It’s not clear to me what I’m doing wrong or what else is missing in order to get this to work.
Any guidance is greatly appreciated.