Error with SSL Certificates using Docker

Thiago-Simoes · August 1, 2023, 4:21pm

I’m using Docker to create a Julia container, but I can’t install the packages inside docker. I have a RUN line on Dockerfile for instantiate project, but it’s generating errors with SSL certificates.

# pull latest julia image
FROM --platform=linux/amd64 julia:latest

# create dedicated user
RUN useradd --create-home --shell /bin/bash genie

# set up the app
RUN mkdir /home/genie/app
COPY ./MyGenieApp /home/genie/app
WORKDIR /home/genie/app

# configure permissions
RUN chown -R genie:genie /home/

RUN chmod +x bin/repl
RUN chmod +x bin/server
RUN chmod +x bin/runtask

# switch user
USER genie

# instantiate Julia packages
RUN julia -e "using Pkg; Pkg.activate(\".\"); Pkg.instantiate(); Pkg.precompile(); "

Generates:

=> ERROR [10/10] RUN julia -e "using Pkg; Pkg.activate("."); Pkg.instantiate(); Pkg.precompile(); "                                                                            9.2s 
------
 > [10/10] RUN julia -e "using Pkg; Pkg.activate("."); Pkg.instantiate(); Pkg.precompile(); ":
#0 0.741   Activating project at `~/app`
#0 0.938   Installing known registries into `~/.julia`
#0 4.320 ┌ Warning: could not download https://pkg.julialang.org/registries
#0 4.320 │   exception = RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
#0 4.320 └ @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:69
#0 7.588 ┌ Warning: could not download https://pkg.julialang.org/registries
#0 7.588 │   exception = RequestError: Cert verify failed: BADCERT_NOT_TRUSTED while requesting https://pkg.julialang.org/registries
#0 7.588 └ @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:69
#0 7.691      Cloning registry from "https://github.com/JuliaRegistries/General.git"
#0 7.787 TLS host verification: the identity of the server `github.com` could not be verified. Someone could be trying to man-in-the-middle your connection. It is also possible that the correct server is using an invalid certificate or that your system's certificate authority root store is misconfigured.
#0 8.090 ERROR: failed to clone from https://github.com/JuliaRegistries/General.git, error: GitError(Code:ERROR, Class:HTTP, user rejected certificate for github.com)
#0 9.014 Stacktrace:
#0 9.014   [1] pkgerror(msg::String)
#0 9.030     @ Pkg.Types /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Types.jl:69
#0 9.030   [2] clone(io::Base.PipeEndpoint, url::String, source_path::String; header::String, credentials::Nothing, kwargs::Base.Pairs{Symbol, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
#0 9.043     @ Pkg.GitTools /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/GitTools.jl:127
#0 9.044   [3] (::Base.var"#90#92"{Base.var"#90#91#93"{Vector{Float64}, Pkg.Registry.var"#51#55", typeof(Pkg.GitTools.clone)}})(::Base.PipeEndpoint, ::Vararg{Any}; kwargs::Base.Pairs{Symbol, String, Tuple{Symbol}, NamedTuple{(:header,), Tuple{String}}})
#0 9.121     @ Base ./error.jl:296
#0 9.121   [4] #90
#0 9.121     @ ./error.jl:291 [inlined]
#0 9.121   [5] (::Pkg.Registry.var"#50#54"{Pkg.Registry.RegistrySpec, Nothing, Base.PipeEndpoint, String})(tmp::String)
#0 9.122     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:238
#0 9.122   [6] mktempdir(fn::Pkg.Registry.var"#50#54"{Pkg.Registry.RegistrySpec, Nothing, Base.PipeEndpoint, String}, parent::String; prefix::String)
#0 9.124     @ Base.Filesystem ./file.jl:760
#0 9.125   [7] mktempdir(fn::Function, parent::String)
#0 9.125     @ Base.Filesystem ./file.jl:756
#0 9.126   [8] mktempdir
#0 9.126     @ ./file.jl:756 [inlined]
#0 9.127   [9] (::Pkg.Registry.var"#48#52"{Base.PipeEndpoint, Vector{Pkg.Registry.RegistrySpec}, String})()
#0 9.128     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:202
#0 9.128  [10] mkpidlock(f::Pkg.Registry.var"#48#52"{Base.PipeEndpoint, Vector{Pkg.Registry.RegistrySpec}, String}, at::String, pid::Int32; kwopts::Base.Pairs{Symbol, Int64, Tuple{Symbol}, NamedTuple{(:stale_age,), Tuple{Int64}}})
#0 9.131     @ FileWatching.Pidfile /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:82
#0 9.131  [11] mkpidlock
#0 9.131     @ /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:79 [inlined]
#0 9.132  [12] #mkpidlock#6
#0 9.132     @ /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:77 [inlined]
#0 9.132  [13] mkpidlock
#0 9.132     @ /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:77 [inlined]
#0 9.132  [14] download_registries(io::Base.PipeEndpoint, regs::Vector{Pkg.Registry.RegistrySpec}, depot::String)
#0 9.133     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:168
#0 9.133  [15] download_default_registries(io::Base.PipeEndpoint; only_if_empty::Bool, depot::String)
#0 9.133     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:111
#0 9.133  [16] download_default_registries(io::Base.PipeEndpoint)
#0 9.134     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:98
#0 9.134  [17] instantiate(ctx::Pkg.Types.Context; manifest::Nothing, update_registry::Bool, verbose::Bool, platform::Base.BinaryPlatforms.Platform, allow_build::Bool, allow_autoprecomp::Bool, kwargs::Base.Pairs{Symbol, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
#0 9.135     @ Pkg.API /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1657
#0 9.135  [18] instantiate
#0 9.135     @ /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1653 [inlined]
#0 9.135  [19] instantiate(; kwargs::Base.Pairs{Symbol, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
#0 9.136     @ Pkg.API /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1652
#0 9.137  [20] instantiate()
#0 9.137     @ Pkg.API /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1652
#0 9.137  [21] top-level scope
#0 9.137     @ none:1
#0 9.141
#0 9.141 caused by: GitError(Code:ERROR, Class:HTTP, user rejected certificate for github.com)
#0 9.162 Stacktrace:
#0 9.162   [1] macro expansion
#0 9.162     @ /usr/local/julia/share/julia/stdlib/v1.9/LibGit2/src/error.jl:111 [inlined]
#0 9.162   [2] clone(repo_url::SubString{String}, repo_path::String, clone_opts::LibGit2.CloneOptions)
#0 9.162     @ LibGit2 /usr/local/julia/share/julia/stdlib/v1.9/LibGit2/src/repository.jl:459
#0 9.163   [3] clone(repo_url::SubString{String}, repo_path::String; branch::String, isbare::Bool, remote_cb::Ptr{Nothing}, credentials::LibGit2.CachedCredentials, callbacks::Dict{Symbol, Tuple{Ptr{Nothing}, Any}})
#0 9.167     @ LibGit2 /usr/local/julia/share/julia/stdlib/v1.9/LibGit2/src/LibGit2.jl:583
#0 9.168   [4] clone
#0 9.168     @ /usr/local/julia/share/julia/stdlib/v1.9/LibGit2/src/LibGit2.jl:556 [inlined]
#0 9.169   [5] clone(io::Base.PipeEndpoint, url::String, source_path::String; header::String, credentials::Nothing, kwargs::Base.Pairs{Symbol, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
#0 9.171     @ Pkg.GitTools /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/GitTools.jl:116
#0 9.171   [6] (::Base.var"#90#92"{Base.var"#90#91#93"{Vector{Float64}, Pkg.Registry.var"#51#55", typeof(Pkg.GitTools.clone)}})(::Base.PipeEndpoint, ::Vararg{Any}; kwargs::Base.Pairs{Symbol, String, Tuple{Symbol}, NamedTuple{(:header,), Tuple{String}}})
#0 9.176     @ Base ./error.jl:296
#0 9.176   [7] #90
#0 9.176     @ ./error.jl:291 [inlined]
#0 9.176   [8] (::Pkg.Registry.var"#50#54"{Pkg.Registry.RegistrySpec, Nothing, Base.PipeEndpoint, String})(tmp::String)
#0 9.177     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:238
#0 9.177   [9] mktempdir(fn::Pkg.Registry.var"#50#54"{Pkg.Registry.RegistrySpec, Nothing, Base.PipeEndpoint, String}, parent::String; prefix::String)
#0 9.177     @ Base.Filesystem ./file.jl:760
#0 9.177  [10] mktempdir(fn::Function, parent::String)
#0 9.178     @ Base.Filesystem ./file.jl:756
#0 9.178  [11] mktempdir
#0 9.178     @ ./file.jl:756 [inlined]
#0 9.178  [12] (::Pkg.Registry.var"#48#52"{Base.PipeEndpoint, Vector{Pkg.Registry.RegistrySpec}, String})()
#0 9.179     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:202
#0 9.180  [13] mkpidlock(f::Pkg.Registry.var"#48#52"{Base.PipeEndpoint, Vector{Pkg.Registry.RegistrySpec}, String}, at::String, pid::Int32; kwopts::Base.Pairs{Symbol, Int64, Tuple{Symbol}, NamedTuple{(:stale_age,), Tuple{Int64}}})
#0 9.184     @ FileWatching.Pidfile /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:82
#0 9.184  [14] mkpidlock
#0 9.184     @ /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:79 [inlined]
#0 9.185  [15] #mkpidlock#6
#0 9.185     @ /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:77 [inlined]
#0 9.185  [16] mkpidlock
#0 9.185     @ /usr/local/julia/share/julia/stdlib/v1.9/FileWatching/src/pidfile.jl:77 [inlined]
#0 9.186  [17] download_registries(io::Base.PipeEndpoint, regs::Vector{Pkg.Registry.RegistrySpec}, depot::String)
#0 9.187     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:168
#0 9.188  [18] download_default_registries(io::Base.PipeEndpoint; only_if_empty::Bool, depot::String)
#0 9.189     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:111
#0 9.190  [19] download_default_registries(io::Base.PipeEndpoint)
#0 9.190     @ Pkg.Registry /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/Registry/Registry.jl:98
#0 9.190  [20] instantiate(ctx::Pkg.Types.Context; manifest::Nothing, update_registry::Bool, verbose::Bool, platform::Base.BinaryPlatforms.Platform, allow_build::Bool, allow_autoprecomp::Bool, kwargs::Base.Pairs{Symbol, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
#0 9.192     @ Pkg.API /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1657
#0 9.192  [21] instantiate
#0 9.192     @ /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1653 [inlined]
#0 9.192  [22] instantiate(; kwargs::Base.Pairs{Symbol, Union{}, Tuple{}, NamedTuple{(), Tuple{}}})
#0 9.193     @ Pkg.API /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1652
#0 9.193  [23] instantiate()
#0 9.193     @ Pkg.API /usr/local/julia/share/julia/stdlib/v1.9/Pkg/src/API.jl:1652
#0 9.193  [24] top-level scope
#0 9.193     @ none:1
------
Dockerfile:23
--------------------
  21 |
  22 |     # instantiate Julia packages
  23 | >>> RUN julia -e "using Pkg; Pkg.activate(\".\"); Pkg.instantiate(); Pkg.precompile(); "
  24 |
  25 |     # ports

Any ideas? I have no clue.

ImreSamu · August 30, 2023, 3:05am

I hope your issue is already resolved, but if not:

1.) Are you sure you’re using the latest version of julia:latest? (For example, sometimes I forget to update my local Docker image.

For me right now:

$ docker pull julia:latest
latest: Pulling from library/julia
Digest: sha256:941ff06c4241434d394097538fd29d7e59007962a853f01fdcf7669a35eeefd0
Status: Image is up to date for julia:latest
docker.io/library/julia:latest

$ docker inspect julia:latest | grep Created
 "Created": "2023-08-26T04:05:16.846743078Z",

2.)
Also, sometimes the Julia image is not updated very often and the included ca-certificates becomes outdated.
In that case, I specifically update that package
or run an ~“apt upgrade” or update-ca-certificates in the Dockerfile.

checking:

$ docker run -it --rm julia update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

see examples for update-ca-certificates in the Julia Dockerfile.
https://github.com/search?q=Language%3Adockerfile+update-ca-certificates+"FROM+julia"&type=code

3.)
Sometimes it’s missing some package…
and adding all build requirements - sometimes helps

FROM julia:latest

RUN apt-get update && apt-get install -y build-essential libatomic1 python gfortran perl wget m4 cmake pkg-config git

Thiago-Simoes · September 19, 2023, 12:06am

Thanks! I already solved it using Podman, oddly enough it works well. But if I face this issue again, this might be helpful.