英文:
npm UNABLE_TO_GET_ISSUER_CERT_LOCALLY in docker behind corporate firewall
问题
我在 Dockerfile 中以 root 用户运行 npm 时遇到了错误。
#0 71.79 npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
我们有一个无法关闭的防病毒软件/企业防火墙,它会替换 SSL 证书以检查流量。
我的问题是,因为 npm install --global pm2 以 root 用户身份运行,它不会遵守 export NODE_EXTRA_CA_CERTS=/path/to/my-cacert.crt。
我尝试过 RUN npm config set cafile /path/to/my-cacert.crt,但出于某些原因也没有起作用。
在运行 Docker 容器中的 npm 时,如何修复 UNABLE_TO_GET_ISSUER_CERT_LOCALLY?
此 Dockerfile 重现了这个问题:
FROM node:alpine AS deps
COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt
RUN npm install --global pm2
英文:
I am getting an error running npm as root in a Dockerfile.
> [runner 5/10] RUN npm install --global pm2:
#0 71.79 npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
We have an antivirus/corporate firewall that we can't turn off, which substitutes SSL certificates to inspect traffic.
My problem is that because npm install --global pm2 is running as root, it does not honor export NODE_EXTRA_CA_CERTS=/path/to/my-cacert.crt.
I tried with RUN npm config set cafile /path/to/my-cacert.crt, but that also didn't work for some reason.
How can I fix UNABLE_TO_GET_ISSUER_CERT_LOCALLY when running npm as root in a docker container?
This dockerfile reproduces the issue:
FROM node:alpine AS deps
COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt
RUN npm install --global pm2
答案1
得分: 1
如果您发布您的Dockerfile,这将很有帮助,但对于您有多个选项。
1- 而不是使用 export,用 ARG 选项设置您的 NODE_EXTRA_CA_CERTS,将其用于Dockerfile中的所有用户,无论您在构建之间是否更改用户,如下所示:
FROM node:alpine AS deps
ARG NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt
RUN npm install --global pm2
但如果您使用 export 设置一个变量,它将仅用于您使用 export 的 RUN 条目。请记住,如果您正在进行多阶段构建,ARG 的作用域限定在各自的阶段内,如果您需要在不同阶段中设置此值,您必须在每个阶段中使用您的 ARG。
2- 使用 http 而不是 https(虽然不安全但可用)。您可以在配置中 设置 它,如下所示:
npm config set registry http://registry.npmjs.org/
3- 将您的CA证书添加到Dockerfile中的受信任证书中,如下所示:
...
COPY ca.crt /usr/local/share/ca-certificates/ca.crt
RUN apt update && \
apt install -y ca-certificates && \
update-ca-certificates
...
英文:
If You post your Dockerfile it will be helpful,
but there are multiple options for You.
1- instead of using export set your NODE_EXTRA_CA_CERTS with ARG option in dockerfile, it will be used for all users does not matter if You change your user between builds like this:
FROM node:alpine AS deps
ARG NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
COPY my.crt /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/my.crt >>/etc/ssl/certs/ca-certificates.crt
RUN npm install --global pm2
But if You set a variable with export it will be used just for that RUN entry which You used export. Remember if You are doing multi stage build ARG is scoped to their stage, and if You need to set this in different stages, You have to use your ARG in each stage.
2- to use http instead of https(it is not secure but usable). You can set it within your configuration like:
npm config set registry http://registry.npmjs.org/
3- add your CA certificate to trusted certificates within your Dockerfile like:
...
COPY ca.crt /usr/local/share/ca-certificates/ca.crt
RUN apt update && \
apt install -y ca-certificates && \
update-ca-certificates
...
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论