debian wheezy: kernel 3.13 : x509 error #5157

Closed
zenny opened this Issue Apr 10, 2014 · 11 comments

Projects

None yet
@zenny
zenny commented Apr 10, 2014

Getting "x509: failed to load system roots and no roots provided":

"# docker run -i -t -v /var/run/docker.sock:/docker.sock shipyard/deploy setup
Unable to find image 'shipyard/deploy' locally
Pulling repository shipyard/deploy
2014/04/10 21:14:37 Get https://index.docker.io/v1/repositories/shipyard/deploy/images: x509: failed to load system roots and no roots provided"

Docker version is:

docker version

Client version: 0.10.0
Client API version: 1.10
Go version (client): go1.2.1
Git commit (client): dc9c28f
Server version: 0.10.0
Server API version: 1.10
Git commit (server): dc9c28f
Go version (server): go1.2.1

Platform:
Debian wheezy with 3.13 backported kernel

uname -a

Linux docker.dev 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.7-1~bpo70+1 (2014-03-29) x86_64 GNU/Linux

dpkg -l | grep ca-certificates

ii ca-certificates 20130119 all Common CA certificates

Similar issues I found are at:
#3825
#3946

@crosbymichael
Member

@tianon should ca-certificates be a required dep?

@creack
Contributor
creack commented Apr 14, 2014

I think so, or we should add a check everywhere we use ssl if the ca are installed.

@tianon
Member
tianon commented Apr 14, 2014

If you look closer, you'll see that he has ca-certificates installed already.

@zenny did you check that your computer's date and time are set correctly? Something like ntpdate comes in especially handy here.

@unclejack unclejack self-assigned this May 12, 2014
@unclejack
Contributor

I couldn't reproduce this on wheezy with kernel 3.13 and the certificates were installed.
This can only be reproduced if you have corrupt certs or missing certs.

Setting the wrong date yields an error which looks like x509: certificate has expired or is not yet valid, so this isn't related to setting a wrong timezone or date.

@unclejack unclejack closed this May 15, 2014
@unclejack unclejack was unassigned by zenny Jul 24, 2014
@mattxia
mattxia commented Nov 27, 2014

anyone solve this issue on SUSE Enterprise 11SP03? thanks.

@JeanMertz JeanMertz referenced this issue in gliderlabs/docker-consul Dec 15, 2014
Closed

Failed to check for updates #38

@hqhq
Contributor
hqhq commented Jan 7, 2015

@mattxia I have the same problem on SLES 11 sp3, do you have a work
around so far?

@geokala
geokala commented Jan 9, 2015

For SLES11 the following seems to work (at least it gives me a new error that hg isn't present):
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt
sed -i -r '/^#.+/d' /etc/ssl/certs/ca-certificates.crt

@glaudiston

I having this same problem on my LFS. The geokala tip makes no effect here. My date/timezone are correct. And I use my ca-certificates well in others contexts.
There is a way to test where the go lang is searching the certificates ?

@trisk
trisk commented Apr 23, 2015

Buildroot-based systems exhibit this issue (#3825) on docker pull. The reason appears to be that none of paths for CA certificate files in src/crypto/x509/root_unix.go are provided by Buildroot's Debian-based ca-certificates package.

The ca-certificates package is also missing an install rule for /usr/sbin/update-ca-certificates which could be used to generate /etc/ssl/certs/ca-certificates.crt.

@alexcesaro alexcesaro referenced this issue in go-gomail/gomail Apr 10, 2016
Closed

Cannot send email from docker container #57

@rijnhard

Just incase google takes someone else here:

I randomly got this on a Linux Mint 17.3 (Ubuntu 14.04) machine.

reinstalling ca-certificates on its own didnt work becasue the java keystore crashes when it tries to update halfway through the update.

this did work

sudo apt-get install --reinstall ca-certificates ca-certificates-java
sudo service docker restart

and boom tried to docker login, and it works.

@gngeorgiev

Hey guys, if you still experience this I recommend using this docker image as a base if that fits your case: https://hub.docker.com/r/centurylink/ca-certs/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment