composer.phar download does not work with a local CA signed cert on the internet proxy

[lpsantil]

Came across this at a customer site. Customer setup: cluster is configured to use a cluster-local proxy (cntlm on masters) which then authenticates (via AD service account) & connects to the corporate outgoing internet proxy. The corporate internet proxy presents a corporate CA signed cert (non-public internet CA) to internet destination hosts.

composer.phar appears to respect the HTTP_PROXY/HTTPS_PROXY settings injected via the ENV var (and the openshift_builddefaults_* vars in /etc/ansible/hosts). You can see in the output, the git clone succeeds and displays the cluster local proxy settings. However, you can see that the composer.phar destination end point attempts to verify the corporate CA signed cert and fails to.

Using HTTP proxy http://10.214.188.15:3129 and HTTPS proxy http://10.214.188.15:3129 for script download
Cloning "https://github.com/openshift/cakephp-ex.git" ...
	Commit:	6f2ebfbeaaaae3b1771aaa36d5beec5b2898c82d (Merge pull request #61 from bparees/sc_metadata)
	Author:	Ben Parees <bparees@users.noreply.github.com>
	Date:	Wed Feb 15 16:28:08 2017 -0500

---> Installing application source...
Found 'composer.json', installing dependencies using composer.phar...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
/usr/libexec/s2i/assemble: line 21: ./composer.phar: No such file or directory

error: build error: non-zero (13) exit code from registry.access.redhat.com/rhscl/php-70-rhel7@sha256:0d8633eab23a1c32b8e202af78b05712013b853326c823f65e4d57e5d1c79946

[bparees]

it sounds like you probably need a custom assemble script that will pass the additional cacerts to the curl call here (https://github.com/sclorg/s2i-php-container/blob/master/7.0/s2i/bin/assemble#L13) and you can provide the additional cert files either in your source repository, or via one of the other input mechanisms:

https://docs.openshift.org/latest/dev_guide/builds/build_inputs.html

or you can provide a custom assemble script that just passes -k to curl, but obviously that has security implications.

instructions on providing a custom assemble script:
https://docs.openshift.org/latest/dev_guide/builds/build_strategies.html#override-builder-image-scripts