ncbi / docker

Other
48 stars 32 forks source link

magicblast docker image returning "encryption failed while validating token within cryptographic module" #43

Closed tadast closed 7 months ago

tadast commented 7 months ago

Hello,

I'm trying to run magicblast from the docker image, but I'm getting a certification verification issue.

✗ docker run -v /Users/tt/code/mblast/sample:/job ncbi/magicblast magicblast -db /job/sequence.fasta -sra SRR597644 -no_unaligned -splice F -num_threads 8 -out /job/results.sam

Error: (2108.2) [magicblast] VDB 3.0.7: 2024-03-12T18:59:31 . sys: encryption failed while validating token within cryptographic module - Verification issue 0x4008 for this certificate: (  cert. version     : 3  serial number     : 00  issuer name       : C=US, O=The Go Daddy Group\, Inc., OU=Go Daddy Class 2 Certification Authority  subject name      : C=US, O=The Go Daddy Group\, Inc., OU=Go Daddy Class 2 Certification Authority  issued  on        : 2004-06-29 17:06:20  expires on        : 2034-06-29 17:06:20  signed using      : RSA with SHA1  RSA key size      : 2048 bits  basic constraints : CA=true  )

Error: (2108.2) [magicblast] VDB 3.0.7: 2024-03-12T18:59:31 . sys: mbedtls_ssl_get_verify_result for 'locate.ncbi.nlm.nih.gov' returned 0x4008 ( !! The certificate is not correctly signed by the trusted CA  !! The certificate is signed with an unacceptable hash. )

BLAST query/options error: The provided SRA accession 'SRR597644' does not exist
Please refer to the BLAST+ user manual.

I get the same issue when I run "ncbi/magicblast" on an AWS Fargate instance too. Any ideas what could be wrong?

boratyng commented 7 months ago

Hi @tadast, sorry you run into trouble. Please, try mounting /ect/ssl/certs from host to your docker container. This worked for me in GCP and AWS cloud shells:

docker run --rm  -v $HOME/sequence:/blast/blastdb:ro  -v /etc/ssl/certs:/etc/ssl/certs:ro ncbi/magicblast magicblast -sra SRR597644 -subject /blast/blastdb/subject.fa
tadast commented 7 months ago

@boratyng thanks for your swift response, it was a helpful pointer 🙌 It's a bit fiddly to achieve the same on macOS. On AWS Fargate you also don't have access to the underlying host machine to mount its certs.

I've resolved the issue by building a new Docker image that installs ca-certificates. Any reason not to do the same in this image? I'd be happy to open a PR.

# Dockerfile

FROM "ncbi/magicblast"

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates
boratyng commented 7 months ago

@tadast , thank you for the suggestion. I am working on the updates.

boratyng commented 7 months ago

The docker image and sources were updated.

tadast commented 7 months ago

Splendid, thank you Greg!