npm在企业防火墙后无法获取本地发行者证书 (UNABLE_TO_GET_ISSUER_CERT_LOCALLY)。

huangapple go评论74阅读模式
英文:

npm UNABLE_TO_GET_ISSUER_CERT_LOCALLY in docker behind corporate firewall

问题

我在 Dockerfile 中以 root 用户运行 npm 时遇到了错误。

    #0 71.79 npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

我们有一个无法关闭的防病毒软件/企业防火墙,它会替换 SSL 证书以检查流量。

我的问题是,因为 npm install --global pm2 以 root 用户身份运行,它不会遵守 export NODE_EXTRA_CA_CERTS=/path/to/my-cacert.crt

我尝试过 RUN npm config set cafile /path/to/my-cacert.crt,但出于某些原因也没有起作用。

在运行 Docker 容器中的 npm 时,如何修复 UNABLE_TO_GET_ISSUER_CERT_LOCALLY

此 Dockerfile 重现了这个问题:

    FROM node:alpine AS deps
    
    COPY my.crt /usr/local/share/ca-certificates/
    RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt
    
    RUN npm install --global pm2
英文:

I am getting an error running npm as root in a Dockerfile.

 > [runner  5/10] RUN npm install --global pm2:
#0 71.79 npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY

We have an antivirus/corporate firewall that we can't turn off, which substitutes SSL certificates to inspect traffic.

My problem is that because npm install --global pm2 is running as root, it does not honor export NODE_EXTRA_CA_CERTS=/path/to/my-cacert.crt.

I tried with RUN npm config set cafile /path/to/my-cacert.crt, but that also didn't work for some reason.

How can I fix UNABLE_TO_GET_ISSUER_CERT_LOCALLY when running npm as root in a docker container?

This dockerfile reproduces the issue:

FROM node:alpine AS deps

COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt

RUN npm install --global pm2

答案1

得分: 1

如果您发布您的Dockerfile,这将很有帮助,但对于您有多个选项。

1- 而不是使用 export,用 ARG 选项设置您的 NODE_EXTRA_CA_CERTS,将其用于Dockerfile中的所有用户,无论您在构建之间是否更改用户,如下所示:

FROM node:alpine AS deps

ARG NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt

RUN npm install --global pm2

但如果您使用 export 设置一个变量,它将仅用于您使用 exportRUN 条目。请记住,如果您正在进行多阶段构建,ARG 的作用域限定在各自的阶段内,如果您需要在不同阶段中设置此值,您必须在每个阶段中使用您的 ARG

2- 使用 http 而不是 https(虽然不安全但可用)。您可以在配置中 设置 它,如下所示:
npm config set registry http://registry.npmjs.org/

3- 将您的CA证书添加到Dockerfile中的受信任证书中,如下所示:

...
COPY ca.crt /usr/local/share/ca-certificates/ca.crt
RUN apt update && \
  apt install -y ca-certificates && \
  update-ca-certificates
...
英文:

If You post your Dockerfile it will be helpful,

but there are multiple options for You.

1- instead of using export set your NODE_EXTRA_CA_CERTS with ARG option in dockerfile, it will be used for all users does not matter if You change your user between builds like this:

FROM node:alpine AS deps

ARG NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt

RUN npm install --global pm2

But if You set a variable with export it will be used just for that RUN entry which You used export. Remember if You are doing multi stage build ARG is scoped to their stage, and if You need to set this in different stages, You have to use your ARG in each stage.

2- to use http instead of https(it is not secure but usable). You can set it within your configuration like:
npm config set registry http://registry.npmjs.org/

3- add your CA certificate to trusted certificates within your Dockerfile like:

...
COPY ca.crt /usr/local/share/ca-certificates/ca.crt
RUN apt update && \
  apt install -y ca-certificates && \
  update-ca-certificates
...



</details>



huangapple
  • 本文由 发表于 2023年3月31日 20:32:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/75898561.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定