wget can verify certificate only if openssl-dev is installed and uninstalled
Summary
After installing wget
and ca-certifactes
I fail to download files
over https
. If I install openssl-dev
and uninstall it, the wget
command works.
Details
I am using the official Docker image for the 3.3 version from https://hub.docker.com/\_/alpine/
Here you can see how installing wget
and ca-certificates
, fails to
retrieve file over https
:
> docker run -ti alpine:3.3 ash
/ # apk add wget ca-certificates --update-cache
fetch http://dl-4.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-4.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
(1/3) Installing openssl (1.0.2g-r0)
(2/3) Installing ca-certificates (20160104-r2)
(3/3) Installing wget (1.17.1-r0)
Executing busybox-1.24.1-r7.trigger
Executing ca-certificates-20160104-r2.trigger
OK: 6 MiB in 14 packages
/ # wget https://bootstrap.pypa.io/get-pip.py
--2016-03-22 15:19:11-- https://bootstrap.pypa.io/get-pip.py
[Proxy connection]
ERROR: cannot verify bootstrap.pypa.io's certificate, issued by 'CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE':
Unable to locally verify the issuer's authority.
To connect to bootstrap.pypa.io insecurely, use `--no-check-certificate'.
On the other hand, if I install openssl-dev
as well, but remove it,
the wget
command works:
> docker run -ti alpine:3.3 ash
/ # apk add wget ca-certificates openssl-dev --update-cache
fetch http://dl-4.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-4.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
(1/9) Upgrading libcrypto1.0 (1.0.2f-r0 -> 1.0.2g-r0)
(2/9) Upgrading libssl1.0 (1.0.2f-r0 -> 1.0.2g-r0)
(3/9) Installing openssl (1.0.2g-r0)
(4/9) Installing ca-certificates (20160104-r2)
(5/9) Installing pkgconf (0.9.12-r0)
(6/9) Installing pkgconfig (0.25-r1)
(7/9) Installing zlib-dev (1.2.8-r2)
(8/9) Installing openssl-dev (1.0.2g-r0)
(9/9) Installing wget (1.17.1-r0)
Executing busybox-1.24.1-r7.trigger
Executing ca-certificates-20160104-r2.trigger
OK: 13 MiB in 18 packages
/ # apk del openssl-dev
(1/4) Purging openssl-dev (1.0.2g-r0)
(2/4) Purging zlib-dev (1.2.8-r2)
(3/4) Purging pkgconfig (0.25-r1)
(4/4) Purging pkgconf (0.9.12-r0)
Executing busybox-1.24.1-r7.trigger
OK: 6 MiB in 14 packages
/ # wget https://bootstrap.pypa.io/get-pip.py
--2016-03-22 15:37:32-- https://bootstrap.pypa.io/get-pip.py
[Proxy connection]
Proxy request sent, awaiting response... 200 OK
Length: 1522812 (1.5M) [text/x-python]
Saving to: 'get-pip.py'
get-pip.py 100%[=====================================================================================>] 1.45M 1.20MB/s in 1.2s
2016-03-22 15:37:34 (1.20 MB/s) - 'get-pip.py' saved [1522812/1522812]
Notice how the openssl-dev
package is removed before the wget
command is executed.
Also notice that installing openssl-dev
triggers upgrading two
packages, so I tried to manually trigger the upgrade, but wget
still
fails:
> docker run -ti alpine:3.3 ash
/ # apk add wget ca-certificates --update-cache
fetch http://dl-4.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-4.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
(1/3) Installing openssl (1.0.2g-r0)
(2/3) Installing ca-certificates (20160104-r2)
(3/3) Installing wget (1.17.1-r0)
Executing busybox-1.24.1-r7.trigger
Executing ca-certificates-20160104-r2.trigger
OK: 6 MiB in 14 packages
/ # apk upgrade libssl1.0
(1/4) Upgrading musl (1.1.12-r2 -> 1.1.12-r4)
(2/4) Upgrading libcrypto1.0 (1.0.2f-r0 -> 1.0.2g-r0)
(3/4) Upgrading libssl1.0 (1.0.2f-r0 -> 1.0.2g-r0)
(4/4) Upgrading musl-utils (1.1.12-r2 -> 1.1.12-r4)
Executing busybox-1.24.1-r7.trigger
OK: 6 MiB in 14 packages
/ # wget https://bootstrap.pypa.io/get-pip.py
--2016-04-05 20:55:32-- https://bootstrap.pypa.io/get-pip.py
Resolving web-proxy-pa.labs.hpicorp.net... 15.78.57.10
Connecting to web-proxy-pa.labs.hpicorp.net|15.78.57.10|:8088... connected.
ERROR: cannot verify bootstrap.pypa.io's certificate, issued by 'CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE':
Unable to locally verify the issuer's authority.
To connect to bootstrap.pypa.io insecurely, use `--no-check-certificate'.
I tried this at different times, so it should not be a temporary issue.
(from redmine: issue id 5376, created on 2016-04-05)