Não baixe o arquivo com curl se o arquivo já existir localmente

Question

mark

Asked: 2023-05-05 21:37:47 +0800 CST2023-05-05 21:37:47 +0800 CST 2023-05-05 21:37:47 +0800 CST

Por que o curl executado a partir de um contêiner reclama do certificado do emissor local quando todos os certificados estão supostamente presentes?

772

Aqui está minha linha de comando docker:

mark@L-R910LPKW:~$ docker run -v /etc/ssl:/etc/ssl -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates -v /usr/share/ca-certificates:/usr/share/ca-certificates curlimages/curl -ksvo /dev/null https://registry.yarnpkg.com/csstype/-/csstype-3.0.8.tgz
*   Trying 104.16.19.35:443...
* Connected to registry.yarnpkg.com (104.16.19.35) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3297 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=registry.yarnpkg.com
*  start date: Apr 29 02:29:46 2023 GMT
*  expire date: May 13 02:29:46 2023 GMT
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
} [5 bytes data]
> GET /csstype/-/csstype-3.0.8.tgz HTTP/1.1
> Host: registry.yarnpkg.com
> User-Agent: curl/8.0.1-DEV
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Fri, 05 May 2023 02:17:14 GMT
< Content-Type: application/octet-stream
< Content-Length: 175305
< Connection: keep-alive
< CF-Ray: 7c257c694f4253f5-YYZ
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: *
< Age: 1689328
< Cache-Control: public, immutable, max-age=31557600
< ETag: "a06dac7944c631c06fa7509c9095ca08"
< Last-Modified: Mon, 19 Apr 2021 07:35:13 GMT
< Vary: Accept-Encoding
< CF-Cache-Status: HIT
< Server: cloudflare
<
{ [14612 bytes data]
* Connection #0 to host registry.yarnpkg.com left intact
mark@L-R910LPKW:~$

Esta é uma rede corporativa e, portanto, temos o Zscaler atuando como o MITM.

Não entendo por que o curl é "incapaz de obter o certificado do emissor local". Posso executar a mesma linha de comando na máquina host sem problemas:

mark@L-R910LPKW:~$ curl -svo /dev/null https://registry.yarnpkg.com/csstype/-/csstype-3.0.8.tgz
*   Trying 104.16.19.35:443...
* Connected to registry.yarnpkg.com (104.16.19.35) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [88 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [155 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3297 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=registry.yarnpkg.com
*  start date: Apr 29 02:29:46 2023 GMT
*  expire date: May 13 02:29:46 2023 GMT
*  subjectAltName: host "registry.yarnpkg.com" matched cert's "registry.yarnpkg.com"
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscalertwo.net) (t)
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET /csstype/-/csstype-3.0.8.tgz HTTP/1.1
> Host: registry.yarnpkg.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 05 May 2023 02:25:46 GMT
< Content-Type: application/octet-stream
< Content-Length: 175305
< Connection: keep-alive
< CF-Ray: 7c2588e75bada216-YYZ
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: *
< Age: 1689840
< Cache-Control: public, immutable, max-age=31557600
< ETag: "a06dac7944c631c06fa7509c9095ca08"
< Last-Modified: Mon, 19 Apr 2021 07:35:13 GMT
< Vary: Accept-Encoding
< CF-Cache-Status: HIT
< Server: cloudflare
<
{ [14612 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Connection #0 to host registry.yarnpkg.com left intact
mark@L-R910LPKW:~$

Por que acho que enrolar no recipiente deve funcionar bem? Porque eu monto todos os mesmos diretórios de certificado do host no contêiner:

/etc/ssl
/usr/local/share/ca-certificates
/usr/share/ca-certificates

Portanto, presumivelmente, o contêiner "vê" os mesmos certificados que o host. Então, por que não funciona?

EDITAR 1

Esta é uma rede corporativa com certificados Zscaler sendo injetados. Se você não estiver em um ambiente semelhante, não poderá reproduzi-lo de forma limpa. Minha pergunta é conceitual - pareço replicar meu ambiente de host no contêiner por meio de várias montagens e, no entanto, o contêiner falha enquanto o host passa.

EDITAR 2

Para experimentar, mudei para o seguinte Dockerfile:

FROM nginxinc/nginx-unprivileged:1.23.3-alpine-slim
USER 0
ARG chip_user_pwd
RUN apk update && \
    apk add --no-cache sudo curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd openssh git strace && \
    adduser -u 1000 -D chip && \
    echo "chip:$chip_user_pwd" | chpasswd && \
    echo "chip ALL=(ALL) ALL" > /etc/sudoers.d/chip && \
    chgrp -R chip /etc/nginx/conf.d && \
    chmod 0440 /etc/sudoers.d/chip
COPY default.conf.template /etc/nginx/templates/default.conf.template
USER 101

(Eu o uso para solucionar problemas)

A linha de comando para executar o contêiner foi:

docker run --cap-add=SYS_PTRACE -d -v /etc/ssl:/etc/ssl -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates -v /usr/share/ca-certificates:/usr/share/ca-certificates OurACR.azurecr.io/chip/toolbox sleep 1d

Ele mostra o mesmo comportamento da imagem de ondulação. Corri strace(graças a https://jvns.ca/blog/2020/04/29/why-strace-doesnt-work-in-docker/ pelas instruções) no contêiner e no host.

Ambos lidos em /etc/ssl/certs/ca-certificates.crt :

No entanto, uma vez terminada a leitura, eles fazem coisas diferentes:

Por fim, o processo rodando no host chega a ler um dos certificados ZScaler, enquanto o rodando no container faz não sei o quê:

Onde:

mark@L-R910LPKW:~$ ls -l /etc/ssl/certs/f36a1d00.0
lrwxrwxrwx 1 root root 54 Apr 21 16:46 /etc/ssl/certs/f36a1d00.0 -> 'Zscaler_Intermediate_Root_CA_=zscalertwo.net=_=t=_.pem'
mark@L-R910LPKW:~$

Como é strace contém muito ruído. Adoraria saber como reduzi-lo de maneira significativa.

Esqueci de mencionar. O host carrega /lib/x86_64-linux-gnu/libssl.so.3enquanto o contêiner docker carrega /lib/libssl.so.3. Talvez isso seja significativo.

EDITAR 3

O conselho original a ser usado stracesugeria chamá-lo com -e trace=%file, aqui vamos nós:

janela de encaixe

/ # strace -e trace=%file -f curl -so /dev/null https://dl-cdn.alpinelinux.org/alpine/v3.17/main
execve("/usr/bin/curl", ["curl", "-so", "/dev/null", "https://dl-cdn.alpinelinux.org/a"...], 0x7fff23ab9330 /* 8 vars */) = 0
open("/etc/ld-musl-x86_64.path", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/libcurl.so.4", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/libcurl.so.4", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libcurl.so.4", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/lib/libz.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/lib/libnghttp2.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/libnghttp2.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libnghttp2.so.14", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/lib/libssl.so.3", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/lib/libcrypto.so.3", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/lib/libbrotlidec.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/libbrotlidec.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libbrotlidec.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/lib/libbrotlicommon.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/libbrotlicommon.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libbrotlicommon.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3
open("/root/.curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/root/.config/curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
open("/root/.curlrc", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
strace: Process 37 attached
[pid    37] open("/etc/hosts", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 7
[pid    37] open("/etc/resolv.conf", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 7
[pid    37] +++ exited with 0 +++
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_LARGEFILE) = 6
+++ exited with 60 +++
/ #

hospedar

mark@L-R910LPKW:~$ strace -e trace=%file -f curl -so /dev/null https://dl-cdn.alpinelinux.org/alpine/v3.17/main
execve("/usr/bin/curl", ["curl", "-so", "/dev/null", "https://dl-cdn.alpinelinux.org/a"...], 0x7fff2db4c4b0 /* 30 vars */) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=29679, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=677656, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=108936, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnghttp2.so.14", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=166256, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libidn2.so.0", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=129096, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/librtmp.so.1", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=121864, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=441944, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpsl.so.5", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=75768, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libssl.so.3", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=667864, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypto.so.3", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=4451632, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=338648, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libldap-2.5.so.0", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=376512, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblber-2.5.so.0", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=63992, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libzstd.so.1", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=841808, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbrotlidec.so.1", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=51512, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunistring.so.2", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1743016, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2000320, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libhogweed.so.6", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=289800, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnettle.so.8", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=281000, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgmp.so.10", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=526896, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=827936, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=182864, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=18504, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=52016, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsasl2.so.2", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=105376, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbrotlicommon.so.1", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=137560, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libp11-kit.so.0", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1285888, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libtasn1.so.6", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=92312, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=22600, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=68552, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libffi.so.8", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=47688, ...}, AT_EMPTY_PATH) = 0
newfstatat(AT_FDCWD, "/etc/gnutls/config", 0x7ffcde3ddb00, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=12419, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=3048928, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2996, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=258, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=27002, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=47, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=127, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_NAME", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=62, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_PAPER", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=34, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=48, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=270, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1406, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_TIME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_TIME", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=3360, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=50, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/usr/lib/locale/C.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=353616, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/home/mark/.curlrc", O_RDONLY) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=510, ...}, 0) = 0
newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=510, ...}, AT_EMPTY_PATH) = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=510, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1948, ...}, AT_EMPTY_PATH) = 0
openat(AT_FDCWD, "/home/mark/.curlrc", O_RDONLY) = -1 ENOENT (No such file or directory)
strace: Process 577639 attached
[pid 577639] newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=510, ...}, 0) = 0
[pid 577639] newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=96, ...}, 0) = 0
[pid 577639] openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 7
[pid 577639] newfstatat(7, "", {st_mode=S_IFREG|0644, st_size=92, ...}, AT_EMPTY_PATH) = 0
[pid 577639] openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 7
[pid 577639] newfstatat(7, "", {st_mode=S_IFREG|0644, st_size=96, ...}, AT_EMPTY_PATH) = 0
[pid 577639] newfstatat(7, "", {st_mode=S_IFREG|0644, st_size=96, ...}, AT_EMPTY_PATH) = 0
[pid 577639] openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 7
[pid 577639] newfstatat(7, "", {st_mode=S_IFREG|0644, st_size=580, ...}, AT_EMPTY_PATH) = 0
[pid 577639] openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = 7
[pid 577639] newfstatat(7, "", {st_mode=S_IFREG|0644, st_size=2584, ...}, AT_EMPTY_PATH) = 0
[pid 577639] newfstatat(7, "", {st_mode=S_IFREG|0644, st_size=2584, ...}, AT_EMPTY_PATH) = 0
[pid 577639] +++ exited with 0 +++
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6
newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=190243, ...}, AT_EMPTY_PATH) = 0
newfstatat(AT_FDCWD, "/etc/ssl/certs/f36a1d00.0", {st_mode=S_IFREG|0644, st_size=1537, ...}, 0) = 0
openat(AT_FDCWD, "/etc/ssl/certs/f36a1d00.0", O_RDONLY) = 6
newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=1537, ...}, AT_EMPTY_PATH) = 0
newfstatat(AT_FDCWD, "/etc/ssl/certs/f36a1d00.1", 0x7ffcde3dd2f0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=3552, ...}, AT_EMPTY_PATH) = 0
newfstatat(6, "", {st_mode=S_IFREG|0644, st_size=3552, ...}, AT_EMPTY_PATH) = 0
+++ exited with 35 +++
mark@L-R910LPKW:~$

1 respostas

Voted

Torin · Answer 1 · 2023-05-10T04:59:48+08:00

Best Answer

Torin

2023-05-10T04:59:48+08:002023-05-10T04:59:48+08:00

A curlimages/curlimagem não configura curl para usar um caminho de diretório CA e também usa um caminho de pacote de certificado CA padrão de /cacert.pem. Portanto, vincular seu /etc/ssl/certsdiretório, que normalmente pode funcionar em seu sistema, não seria verificado pelo curl.

Você pode vincular a montagem de seu pacote de certificados ao local esperado passando, por exemplo, -v /etc/ssl/certs/ca-certificates.crt:/cacert.pemcomo um argumento docker (se /etc/ssl/certs/ca-certificates.crtcontiver todos os seus certificados CA) ou, no caso em que você ligou /etc/ssl:/etc/ssl, você pode passar --capath /etc/ssl/certscomo um argumento curl.

1

Por que o curl executado a partir de um contêiner reclama do certificado do emissor local quando todos os certificados estão supostamente presentes?

Possível firmware ausente /lib/firmware/i915/* para o módulo i915

Falha ao buscar o repositório de backports jessie

Como exportar uma chave privada GPG e uma chave pública para um arquivo

Como podemos executar um comando armazenado em uma variável?

Como configurar o systemd-resolved e o systemd-networkd para usar o servidor DNS local para resolver domínios locais e o servidor DNS remoto para domínios remotos?

apt-get update error no Kali Linux após a atualização do dist [duplicado]

Como ver as últimas linhas x do log de serviço systemctl

Nano - pule para o final do arquivo

erro grub: você precisa carregar o kernel primeiro

Como baixar o pacote não instalá-lo com o comando apt-get?

Por que o curl executado a partir de um contêiner reclama do certificado do emissor local quando todos os certificados estão supostamente presentes?

1 respostas

relate perguntas