mwoffliner icon indicating copy to clipboard operation
mwoffliner copied to clipboard

Published 20 hours ago verified publisher icon openzim

Need to disable certificate checking within Docker container

Open nish2482 opened this issue 1 year ago • 3 comments

I am using the docker command to run mwoffliner on my local medaiwiki server and i get the UNABLE_TO_GET_ISSUER_CERT_LOCALLY .

This is the comamnd

$ sudo docker run --volume=$(pwd)/out:/out -ti ghcr. io/openzim/mwoffliner mwoffliner --mwUrl=http:// [email protected] --mwWikiPath=/vascular_wiki/ --mwApiPath=vascular_wiki/api.php

[error] [2024-03-02T12:49:43.043Z] FATAL - Failed to get MediaWiki Metadata [error] [2024-03-02T12:49:43.046Z] Failed to run mwoffliner after [40s]: { "message": "unable to get local issuer certificate", "name": "Error", "stack": "Error: unable to get local issuer certificate\n at AxiosError.from (file:///tmp/mwoffliner/node_modules/axios/lib/core/AxiosError.js:89:14)\n at RedirectableRequest.handleRequestError (file:///tmp/mwoffliner/node_modules/axios/lib/adapters/http.js:577:25)\n at RedirectableRequest.emit (node:events:539:35)\n at RedirectableRequest.emit (node:domain:475:12)\n at eventHandlers. (/tmp/mwoffliner/node_modules/follow-redirects/index.js:14:24)\n at ClientRequest.emit (node:events:527:28)\n at ClientRequest.emit (node:domain:475:12)\n at TLSSocket.socketErrorListener (node:_http_client:462:9)\n at TLSSocket.emit (node:events:527:28)\n at TLSSocket.emit (node:domain:475:12)",

    },
    "code": "UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
    "status": null

} [error] [2024-03-02T12:49:43.049Z]

unable to get local issuer certificate

nish2482 avatar Mar 02 '24 12:03 nish2482

So basically this ticket is about introducing an --insecure option. LGTM.

@nish2482 What is the online Mediawiki instance you test against?

kelson42 avatar Mar 05 '24 14:03 kelson42

Hello @kelson42, the -e NODE_TLS_REJECT_UNAUTHORIZED=0 tag can also be used to disable certificate checking right? So do I just add this tag to the docker run commands in the README to fix this issue?

jairajmahadev avatar Mar 06 '24 18:03 jairajmahadev

I prefer a fix independant from the container.

kelson42 avatar Mar 06 '24 19:03 kelson42

So basically this ticket is about introducing an --insecure option. LGTM.

@nish2482 What is the online Mediawiki instance you test against?

It is a local media wiki installation

nish2482 avatar Mar 08 '24 22:03 nish2482

I prefer a fix independant from the container.

@kelson42 Okay so this is what I was thinking of after reading the code. Let me know if i'm going in the right direction.

  • First I have to handle the --insecure argument in the src/cli.ts and src/sanitize-argument.ts files.
  • And if the insecure argument is provided, set the NODE_TLS_REJECT_UNAUTHORIZED environment variable to "0" , which will disable TLS/SSL certificate verification globally in Node.js.
  • OR an option can be added where Axios is making https requests to disable certificate verification. This would involve modifying the axios request configuration to set httpsAgent with rejectUnauthorized set to false when the insecure argument is provided.

jairajmahadev avatar Mar 10 '24 12:03 jairajmahadev

i dont see this option available when i run docker run --volume=$(pwd)/out:/out -ti ghcr.io/openzim/mwoffliner mwoffliner --help

nish2482 avatar Jul 17 '24 14:07 nish2482

@nish2482 Probably because you don't use the "dev" version

kelson42 avatar Jul 17 '24 14:07 kelson42

@nish2482 Probably because you don't use the "dev" version

sorry didnt understand

nish2482 avatar Jul 17 '24 14:07 nish2482