I’ve read many posts about this, but didn’t find an answer, or more likely I am doing something wrong.
I am running docker under WSL. I exported the zscaler root ca certificate, converted it to PEM format (in linux) added this to /usr/share/ca-certificates/zscaler, added this to /etc/ca-certificates.conf, e.g.:
zscaler/zscaler-root-ca.crt
I restarted the docker service and I still get the same error message saying that the certificate was signed by unknown authority. if I run docker pull hello-world
Can you tell what I’m not doing or have done incorrectly?
You could run px proxy on the Windows host, set the wsl2 network mode to mirrored, and set the http_proxy(s) variables to access the proxy from the wsl2 distribution via http://localhost:3128.
With this setup, http(s) traffic from the wsl2 distribution will always use the px proxy on Windows, which then does the actual outgoing communication. Since px runs on the Windows host, it will be able to use the ca certificates of the host.
Hi. That is one of the threads that I read, and I left out that I ran `update-ca-certificates --fresh° in the process.
Incidentally, update-ca-certificates prints warnings about certificates that it is skipplng, so it might be important to look at the output of the command.
For me there was /etc/ssl/certs/ca-certificates.crt which it skipped because it contains more than one certificate, but it is also where update-ca-certificates writes files, but with a .pem extension. So. I don’t know why it is there.
In any case, I put the zscaler cert in /usr/local/share/ca-certificates/zscaler-root-ca.crt and reran update-ca-certificates --fresh, getting no warnings. It wrote /etc/ssl/certs/zascaler-root-ca.pem.
After service docker restart, I get the same error message about x509 certificate signed by unknown authority after docker compose.
Also, the person saying Zscaler was misconfigured is not the person reporting the problem. So, I don’t know if that applies.
Thank you. I will look into that. There is terminology that I don’t understand, e.g. how much do I need to know about NTLM? But I will see if I can set that up.
After a discussion with @rimelek: I am not certain anymore that using a http proxy actually is a feasible solution to get rid of the certificate validation on the wsl2 disto side.
I might have mixed it up with how dns entries don’t need to be resolvable on the host if a http proxy is, because the proxy host must be able to resolve the host name and have a valid route to the target ip.