我正在使用 docker 桌面通过 mac 运行一个简单的 node:16-alpine。我在其中添加了 ca-certificates、curl 和 openssl。
RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/v3.15/main ca-certificates curl openssl
无论我做什么,我都无法在容器内进行 https 调用,无论是在容器内部还是在构建过程中,一个简单的curl https://google.com
调用都会返回。unable to get local issuer certificate
以下是来自 openssl 调用的日志openssl s_client -connect www.google.com:443
:
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = [email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
0 s:CN = www.google.com
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
1 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = [email protected]
2 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalertwo.net), emailAddress = [email protected]
i:C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1DCCA7ygAwIBAgIQc/ev+XoDACkSVPp3IQapZjANBgkqhkiG9w0BAQsFADCB
jTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFTATBgNVBAoTDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMTswOQYDVQQDEzJac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVydHdvLm5ldCkgKHQpIDAe
Fw0yMjA1MDcwNzQ2MTZaFw0yMjA1MjEwNzQ2MTZaMBkxFzAVBgNVBAMTDnd3dy5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7kVC+R8k
iX/DNeX9B678/GnIlOy+hMYgCMU39m3sPBo4pPEWjcNaVEkHorA1kp2LkCfxEiws
vyOQ1AEs7GZKAALJL91OFIg0p+oFKfZjHyc7yOm+n0xPKJf2noq8UH3EH+M80dZv
/t9oWCA8aIhNqbV8CfTsg9PSm3MLaBiKZ5/EKqFjS7qgc47y30ZBNZDsffSC6Orp
RBXL7Vjo548VaPpBeW8IWjg9tqV3ZfvikynE2jY9SMDvvJWIHhOkIMHFEa3Po3hJ
xqjB/Qjvvdnh8QvZWM+EO9arlK+z6KcURPFJgg75JeZo+DhKD1nXZAsGRGqdalC1
eMn+BkObO8QKQwIDAQABo4IBoTCCAZ0wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwGQYDVR0RBBIwEIIOd3d3Lmdvb2ds
ZS5jb20wggEGBgorBgEEAdZ5AgQCBIH3BIH0APIAdwBGpVXrdfqRIDC1oolp9PN9
ESxBdL79SbiFq/L8cP5tRwAAAYA8SPphAAAEAwBIMEYCIQDtKa0ZOB421kWzpWPL
QEQ1Oigy8s7HU1fylpgbAfMf2wIhAIMIvA9JsvhMCFfhD3yP/0yC1+7eCiCdcMYj
nJTxIJTUAHcAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAGAPEj6
rAAABAMASDBGAiEA+sroNdIPGBOR9bk6GutfuUJRmoIYimZaDhWGNzWqy9oCIQDW
QeU5/9cLSgff8XVHy879QViLM9XIDtrVJWEggoLgYDBDBgNVHR8EPDA6MDigNqA0
hjJodHRwOi8vZ2F0ZXdheS56c2NhbGVydHdvLm5ldC96c2NhbGVyLXpzY3JsLS00
LmNybDANBgkqhkiG9w0BAQsFAAOCAQEAjPZHPnc52+ycgj+EuBoFYuVLlgC/RhTs
N81GEK4BS2mmtPlpYan4EU01tjJFthkKnELYKr6qJymk5TGk5NE3T3IP8N+jv8IW
a02YNOut9Y3DpgjxF++RD2Vh6Somrn2kR/R6YKZ+i/jW0PAU4EOS35+0OyYBs9LL
4/vgN7X9IqTF4eAWJxhNeIgVAZBsaaFT1hXsWhnxx3xubNm/MROMkw/LQQbDiuUh
GijmFfaUpaw/j1R5hgZb7mdGh+p/M8WadGtIjOv45QMhqgjxi8hZ6pw5fjLIN4bw
lag+LG7idhc8hBtDJSYwiNoGrRI7nYf6eCIrI2KC0g/D0uStrfSnAw==
-----END CERTIFICATE-----
subject=CN = www.google.com
issuer=C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalertwo.net) (t) "
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4123 bytes and written 745 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---