我一直在使用带有基础 Ubuntu 14.04 映像的 Docker 1.7.1,突然出现以下情况curl:
curl -L -o sbt.tgz https://dl.bintray.com/sbt/native-packages/sbt/0.13.9/sbt-0.13.9.tgz
导致我出现以下错误:
curl: (60) SSL certificate p[0m[91mroblem: unable to get local issuer certificate
[0m[91mMore details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) pub[0m[91mlic keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
us[0m[91ming the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bund[0m[91mle, the certificate verification probably failed due to a
problem with the certific[0m[91mate (it might be expired, or the name might
not match the domain name in the URL).[0m[91m
If you'd like to turn off curl's verification of the certificate[0m[91m, use
the -k (or --insecure) option.
有问题的 CA(针对 dl.bintray.com)是 GeoTrust CA G3,我从 docker 构建日志中检查它正在安装:
Processing triggers for ca-certificates (20160104ubuntu0.14.04.1) ...
Updating certificates in /etc/ssl/certs... 173 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
...
Adding debian:GeoTrust_Global_CA.pem
Adding debian:GeoTrust_Global_CA_2.pem
Adding debian:GeoTrust_Primary_Certification_Authority.pem
Adding debian:GeoTrust_Primary_Certification_Authority_-_G2.pem
Adding debian:GeoTrust_Primary_Certification_Authority_-_G3.pem
Adding debian:GeoTrust_Universal_CA.pem
Adding debian:GeoTrust_Universal_CA_2.pem
...
我无法解释它是如何停止工作的。我从容器中手动尝试,版本--insecure可以工作,尽管我不想使用它。
关于如何修复此问题,或者获取可靠的更新 CA 权限以传递给 curl 命令,您有什么想法吗curl -c my_most_trusted_and_up_to_date_ca.pem?