Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl: (60) SSL certificate problem: self-signed certificate in certificate chain #569

Open
swarnajyothi opened this issue Jul 12, 2024 · 3 comments
Open

curl: (60) SSL certificate problem: self-signed certificate in certificate chain #569

swarnajyothi opened this issue Jul 12, 2024 · 3 comments
Labels
bug

Comments

@swarnajyothi
Copy link

Describe the bug
When I am trying to run following docker command
docker run -it
-e PBF_URL=https://download.geofabrik.de/europe/monaco-latest.osm.pbf
-e REPLICATION_URL=https://download.geofabrik.de/europe/monaco-updates/
-p 8080:8080
--name nominatim
mediagis/nominatim:4.4

I am facing some ssl certificate issue

To Reproduce
Steps to reproduce the behavior:

  1. docker run -it
    -e PBF_URL=https://download.geofabrik.de/europe/monaco-latest.osm.pbf
    -e REPLICATION_URL=https://download.geofabrik.de/europe/monaco-updates/
    -p 8080:8080
    --name nominatim
    mediagis/nominatim:4.4

  2. error:
    **curl: (60) SSL certificate problem: self-signed certificate in certificate chain
    More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.**

Screenshots & Logs
image

Desktop / Server (please complete the following information):

  • OS & Version: [e.g. Windows 11]
  • Docker Version: [e.g. 26.1.4]
  • Nominatim Version: [4.4]

Is there any way to bypass this like curl -k ? Please help us with the possible solution,
@KnotzerIO
Copy link

Are you using docker desktop?

@swarnajyothi
Copy link
Author

yes , we are using docker desktop

@bogind
Copy link

bogind commented Feb 5, 2025

Ran into this myself and found a solve for it.
From what I can understand this occurs when trying to run in an organization/company because the internal curl needs the organizational certificates so that it can get calls securely in the organizational network.
Building locally with a small addition to the Dockerfile worked for me.

Using this answer I exported both the download.geofabrik.de.crt as well as my orginizations org_custom.crt using Chrome and placed them in the version folder.

I then added the following lines to the Dockerfile (see note at end):

  1. In the first RUN command, I added an installation for ca-certificates then ran update-ca-certificates:
RUN  \
    --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    # Keep downloaded APT packages in the docker build cache
    rm -f /etc/apt/apt.conf.d/docker-clean && \
    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache && \
    # Do not start daemons after installation.
    echo '#!/bin/sh\nexit 101' > /usr/sbin/policy-rc.d \
    && chmod +x /usr/sbin/policy-rc.d \
    # Install all required packages.
    && apt-get -y update -qq \
    && apt-get -y install \
        locales \
    && locale-gen en_US.UTF-8 \
    && update-locale LANG=en_US.UTF-8 \
    && apt-get -y install \
        -o APT::Install-Recommends="false" \
        -o APT::Install-Suggests="false" \
        # Build tools from sources. \
        build-essential \
        osm2pgsql \
        pkg-config \
        libicu-dev \
        python3-dev \
        python3-pip \
        # PostgreSQL.
        postgresql-contrib \
        postgresql-server-dev-16 \
        postgresql-16-postgis-3 \
        postgresql-16-postgis-3-scripts \
        # Misc.
        curl \
        sudo \
        sshpass \
        openssh-client \
        ca-certificates


# Update CA Certs
RUN update-ca-certificates
  1. I added a COPY command for the .crt files and ran another update-ca-certificates after the scripts are copied on line 86:
COPY org_custom.crt /usr/local/share/ca-certificates/org_custom.crt
COPY org_custom.crt /etc/ssl/certs/org_custom.crt


# Update CA Certs
RUN update-ca-certificates

Then build the image as normal (naming it just nominatim and run it:

docker build -t nominatim .

docker run -it \
  -e PBF_URL=https://download.geofabrik.de/europe/monaco-latest.osm.pbf \
  -e REPLICATION_URL=https://download.geofabrik.de/europe/monaco-updates/ \
  -p 8080:8080 \
  --name nominatim \
  nominatim

Editing the Dockerfile on Windows

If you followed the instructions but only get : invalid option when trying to run,
this is due to windows using the wrong linefeeds character for docker according to this stackoverflow answer.
I fixed this by running the recommended git fixes:

git config core.autocrlf false

git rm --cached -r .         # Don’t forget the dot at the end

git reset --hard

I also made further edits in nano inside WSL to avoid this error again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@swarnajyothi @bogind @KnotzerIO