scan-cli-plugin
scan-cli-plugin copied to clipboard
docker
ERROR: self signed certificate in certificate chain
Description Our LARGE company uses self signed certificates in order to access a lot of external resources. There needs to be a way to bypass certificate checking or a better way of implementing their use.
Steps to reproduce the issue:
- NODE_TLS_REJECT_UNAUTHORIZED='0' docker scan
(NOTE: run behind firewall requiring use of locally signed certs to get out.)
Describe the results you received: self signed certificate in certificate chain
Describe the results you expected: Actual scan results.
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Client: Docker Engine - Community
Version: 20.10.7
API version: 1.41
Go version: go1.13.15
Git commit: f0df350
Built: Wed Jun 2 11:56:40 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.7
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: b0f5bc3
Built: Wed Jun 2 11:54:48 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.8
GitCommit: 7eba5930496d9bbe375fdf71603e610ad737d2b2
runc:
Version: 1.0.0
GitCommit: v1.0.0-0-g84113ee
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Output of docker scan --version:
Version: v0.8.0
Git commit: 35651ca
Provider: Snyk (1.563.0 (standalone))
Output of docker info:
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
scan: Docker Scan (Docker Inc., v0.8.0)
Server:
Containers: 11
Running: 4
Paused: 0
Stopped: 7
Images: 80
Server Version: 20.10.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 7eba5930496d9bbe375fdf71603e610ad737d2b2
runc version: v1.0.0-0-g84113ee
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-154-generic
Operating System: Ubuntu 18.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.39GiB
Name: mdias-dev15
ID: B6TX:ACF7:4TZ3:SJZB:5SWY:A4HX:VKZU:IIUC:R2KP:SZL5:X3ZV:XEXG
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: sparker0
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.): Running on VMWare virtual machines, Ubuntu 20
I believe we're seeing something similar. I am running this on my Windows 10 laptop, connected to my corporate VPN using Zscaler. The ZScaler replaces/does something with the CA certs which frequently causes issues accessing external resources, especially on Linux and Docker. I get the same result when off the VPN as well.
~> docker scan 9339a7d50702
unable to get local issuer certificate
debug info:
~> docker scan --version
Version: v0.11.0
Git commit: c8da19f
Provider: Snyk (1.563.0 (standalone))
~> docker info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.7.1)
compose: Docker Compose (Docker Inc., v2.2.1)
scan: Docker Scan (Docker Inc., v0.11.0)
Server:
Containers: 37
Running: 32
Paused: 0
Stopped: 5
Images: 13
Server Version: 20.10.11
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 5.10.60.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 12.31GiB
Name: docker-desktop
ID: PVZM:2BMX:Z6RR:YO4R:USQ5:D6VO:62JZ:2O6C:IOT6:54LG:WPBV:DCMW
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 154
Goroutines: 133
System Time: 2021-12-16T19:01:53.0912448Z
EventsListeners: 3
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
Same problem. Also behind ZScaler that replaces the root-cert with a custom company cert
It seems docker scan does not respect the system CA Certificates.
curl https://docs.docker.com/ -I
# No Problem
docker scan myimage
# Boom!
unable to verify the first certificate
Same problem. Also behind ZScaler that replaces the root-cert with a custom company cert
I can confirm this. The necessary custom certificates are imported. Other applications do not have this issue.
Same problem. Our images have our corporate CA Root certs inserted to their CA Trust Stores (for RHEL it is copy the certs to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust). Not sure why the error says the certs are self-signed. Is there a workaround or a fix for it?
I have the same issue. Disabling VPN does not help because traffic still goes through corporate proxy.
