Installing of packages fails due to a peer certificate cannot be authenticated

[HerbertKoelman]

Hello,

I want to create a docker image based on AlmaLinux 6 with:

• maven
• openjdk 11

This what my Dockerfile looks like:

FROM almalinux:8

RUN dnf clean all && dnf install -y java-11-openjdk-devel

ADD apache-maven-3.9.5-bin.tar.gz /
ENV  PATH="${PATH}:/apache-maven-3.9.5/bin"

COPY settings.xml /apache-maven-3.9.5/conf/

CMD  mvn

When I build this Dockerfile I get this error message: Curl error (60): Peer certificate cannot be authenticated with given CA certificates

$ docker build --no-cache --progress=plain --tag mvn-runner:latest .
#0 building with "default" instance using docker driver

#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s

#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 543B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/almalinux/8-base:latest
#3 DONE 0.7s

#4 [internal] load build context
#4 transferring context: 289B done
#4 DONE 0.0s

#5 [1/5] FROM docker.io/almalinux/8-base@sha256:3e4974e643b1010ee539f7c2f4c07d7bc9d7789d6860e78c2d042c16568f5d8d
#5 CACHED

#6 [2/5] RUN update-crypto-policies --set DEFAULT
#6 0.308 Setting system policy to DEFAULT
#6 0.308 Note: System-wide crypto policies are applied on application start-up.
#6 0.308 It is recommended to restart the system for the change of policies
#6 0.308 to fully take place.
#6 DONE 0.4s

#7 [3/5] RUN dnf clean all && dnf install -y java-11-openjdk-devel
#7 0.548 0 files removed
#7 3.373 AlmaLinux 8 - BaseOS                            0.0  B/s |   0  B     00:02
#7 3.374 Errors during downloading metadata for repository 'baseos':
#7 3.374   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos?countme=1 [SSL certificate problem: unable to get local issuer certificate]
#7 3.374   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
#7 3.382 Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
#7 ERROR: process "/bin/sh -c dnf clean all && dnf install -y java-11-openjdk-devel" did not complete successfully: exit code: 1
------
 > [3/5] RUN dnf clean all && dnf install -y java-11-openjdk-devel:
0.548 0 files removed
3.373 AlmaLinux 8 - BaseOS                            0.0  B/s |   0  B     00:02
3.374 Errors during downloading metadata for repository 'baseos':
3.374   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos?countme=1 [SSL certificate problem: unable to get local issuer certificate]
3.374   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
3.382 Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
------
Dockerfile:5
--------------------
   3 |     # install dependencies
   4 |     RUN update-crypto-policies --set DEFAULT
   5 | >>> RUN dnf clean all && dnf install -y java-11-openjdk-devel
   6 |     # install maven and extend PATH to use installed maven
   7 |     ADD apache-maven-3.9.5-bin.tar.gz /
--------------------
ERROR: failed to solve: process "/bin/sh -c dnf clean all && dnf install -y java-11-openjdk-devel" did not complete successfully: exit code: 1

shell returned 1

Press ENTER or type command to continue
[No write since last change]
#0 building with "default" instance using docker driver

#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s

#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 543B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/almalinux/8-base:latest
#3 DONE 0.9s

#4 [1/5] FROM docker.io/almalinux/8-base@sha256:3e4974e643b1010ee539f7c2f4c07d7bc9d7789d6860e78c2d042c16568f5d8d
#4 CACHED

#5 [internal] load build context
#5 transferring context: 289B done
#5 DONE 0.0s

#6 [2/5] RUN update-crypto-policies --set DEFAULT
#6 0.324 Setting system policy to DEFAULT
#6 0.324 Note: System-wide crypto policies are applied on application start-up.
#6 0.324 It is recommended to restart the system for the change of policies
#6 0.324 to fully take place.
#6 DONE 0.4s

#7 [3/5] RUN dnf clean all && dnf install -y java-11-openjdk-devel
#7 0.536 0 files removed
#7 3.068 AlmaLinux 8 - BaseOS                            0.0  B/s |   0  B     00:02
#7 3.069 Errors during downloading metadata for repository 'baseos':
#7 3.069   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos?countme=1 [SSL certificate problem: unable to get local issuer certificate]
#7 3.069   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
#7 3.077 Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
#7 ERROR: process "/bin/sh -c dnf clean all && dnf install -y java-11-openjdk-devel" did not complete successfully: exit code: 1
------
 > [3/5] RUN dnf clean all && dnf install -y java-11-openjdk-devel:
0.536 0 files removed
3.068 AlmaLinux 8 - BaseOS                            0.0  B/s |   0  B     00:02
3.069 Errors during downloading metadata for repository 'baseos':
3.069   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos?countme=1 [SSL certificate problem: unable to get local issuer certificate]
3.069   - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
3.077 Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: unable to get local issuer certificate]
------
Dockerfile:5
--------------------
   3 |     # install dependencies
   4 |     RUN update-crypto-policies --set DEFAULT
   5 | >>> RUN dnf clean all && dnf install -y java-11-openjdk-devel
   6 |     # install maven and extend PATH to use installed maven
   7 |     ADD apache-maven-3.9.5-bin.tar.gz /
--------------------
ERROR: failed to solve: process "/bin/sh -c dnf clean all && dnf install -y java-11-openjdk-devel" did not complete successfully: exit code: 1

shell returned 1

I'm running this build on an AlmaLinux 8

Any idea ?

[HerbertKoelman]

FYI if I replace the failing dnf command with RUN dnf --setopt sslverify=false install -y java-11-openjdk-devel then the command is successful. It's not safe :-(

[LKHN]

Hi 👋

Cannot reproduce the issue. Please, run this command to make sure the TLS certificate chain is intact:

openssl s_client -showcerts -connect mirrors.almalinux.org:443

You can run it inside and the outside the network you having the issue, then compare the Certificate chain part in the output.

We usually, get such reports from the users who is behind some firewall which injects some TLS certificates into the chain as a part of the TLS inspection feature.