Skip to content
This repository has been archived by the owner on Nov 29, 2023. It is now read-only.

ERROR: self signed certificate in certificate chain #168

Open
CloudSpark opened this issue Aug 26, 2021 · 11 comments
Open

ERROR: self signed certificate in certificate chain #168

CloudSpark opened this issue Aug 26, 2021 · 11 comments

Comments

@CloudSpark
Copy link

CloudSpark commented Aug 26, 2021
edited
Loading

Description
Our LARGE company uses self signed certificates in order to access a lot of external resources. There needs to be a way to bypass certificate checking or a better way of implementing their use.

Steps to reproduce the issue:

  1. NODE_TLS_REJECT_UNAUTHORIZED='0' docker scan (NOTE: run behind firewall requiring use of locally signed certs to get out.)

Describe the results you received:
self signed certificate in certificate chain

Describe the results you expected:
Actual scan results.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:40 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:48 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.8
  GitCommit:        7eba5930496d9bbe375fdf71603e610ad737d2b2
 runc:
  Version:          1.0.0
  GitCommit:        v1.0.0-0-g84113ee
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker scan --version:

Version:    v0.8.0
Git commit: 35651ca
Provider:   Snyk (1.563.0 (standalone))

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 11
  Running: 4
  Paused: 0
  Stopped: 7
 Images: 80
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7eba5930496d9bbe375fdf71603e610ad737d2b2
 runc version: v1.0.0-0-g84113ee
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-154-generic
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.39GiB
 Name: mdias-dev15
 ID: B6TX:ACF7:4TZ3:SJZB:5SWY:A4HX:VKZU:IIUC:R2KP:SZL5:X3ZV:XEXG
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: sparker0
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
Running on VMWare virtual machines, Ubuntu 20
@mcascone
Copy link

I believe we're seeing something similar. I am running this on my Windows 10 laptop, connected to my corporate VPN using Zscaler. The ZScaler replaces/does something with the CA certs which frequently causes issues accessing external resources, especially on Linux and Docker.
I get the same result when off the VPN as well.

~> docker scan 9339a7d50702
unable to get local issuer certificate

debug info:

~>  docker scan --version
Version:    v0.11.0
Git commit: c8da19f
Provider:   Snyk (1.563.0 (standalone))

~> docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.7.1)
  compose: Docker Compose (Docker Inc., v2.2.1)
  scan: Docker Scan (Docker Inc., v0.11.0)

Server:
 Containers: 37
  Running: 32
  Paused: 0
  Stopped: 5
 Images: 13
 Server Version: 20.10.11
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.60.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 12.31GiB
 Name: docker-desktop
 ID: PVZM:2BMX:Z6RR:YO4R:USQ5:D6VO:62JZ:2O6C:IOT6:54LG:WPBV:DCMW
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 154
  Goroutines: 133
  System Time: 2021-12-16T19:01:53.0912448Z
  EventsListeners: 3
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

@jajansen
Copy link

jajansen commented Mar 2, 2022

Same problem. Also behind ZScaler that replaces the root-cert with a custom company cert

@cawoodm
Copy link

cawoodm commented Mar 18, 2022

It seems docker scan does not respect the system CA Certificates.

curl https://docs.docker.com/ -I
# No Problem

docker scan myimage
# Boom!
unable to verify the first certificate

@cawoodm cawoodm mentioned this issue Mar 18, 2022
Open
@turbolocust
Copy link

Same problem. Also behind ZScaler that replaces the root-cert with a custom company cert

I can confirm this. The necessary custom certificates are imported. Other applications do not have this issue.

@jeeftor
Copy link

jeeftor commented Mar 22, 2022

I have the exact same issues with zscalar

@koenderoo
Copy link

Any workaround available yet?

@machetto
Copy link

machetto commented Jun 3, 2022

Same problem. Our images have our corporate CA Root certs inserted to their CA Trust Stores (for RHEL it is copy the certs to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust). Not sure why the error says the certs are self-signed. Is there a workaround or a fix for it?

@samratbasrajci
Copy link

I have same issue.. after Disabling all the vpn, works for me.

@josh-keller
Copy link

I have the same issue. Disabling VPN does not help because traffic still goes through corporate proxy.

@jeeftor
Copy link

jeeftor commented Jan 25, 2023

This is a pretty basic thing... how come its not fixed?

@RayceRossum
Copy link

Still facing this issue with zscaler

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests