maven deploy to minikube fails due to insecure curl problem

ambition-consulting commented 4 years ago

Describe the bug When executing: mvn clean package -Dquarkus.kubernetes.deploy=true -debug

Expected behavior Quarkus installs whatever is needed to deploy

Actual behavior

20:41:14,717 [build-17] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] error: cannot update repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
20:41:14,776 [build-6] [DEBUG] [io.quarkus.bootstrap.classloading.QuarkusClassLoader] Class io.dekorate.deps.kubernetes.api.model.EnvVarBuilder not found in parent first load from ClassRealm[plugin>io.quarkus:quarkus-maven-plugin:1.5.0.Final, parent: sun.misc.Launcher$AppClassLoader@55f96302]
20:41:14,812 [build-17] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] The command '/bin/sh -c microdnf install curl ca-certificates ${JAVA_PACKAGE}     && microdnf update     && microdnf clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security' returned a non-zero code: 1

To Reproduce Steps to reproduce the behavior:

install minikube
follow https://haralduebele.blog/2020/04/03/deploy-your-quarkus-applications-on-kubernetes-almost-automatically/

I believe there is a problem with curl inside:

curl -v https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get issuer certificate
curl: (60) SSL certificate problem: unable to get issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl -v https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml --insecure
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET /content/publicm/ubi/dist/ubi8/8/x86_64/baseosoms/repodata/repmd.xml HTTP/1.1
> Host: cdn-ubi.redhat.com
> User-Agent: curl/7.66.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: AkamaiGHost
< Mime-Version: 1.0
< Content-Type: text/html
< Content-Length: 383
< Expires: Tue, 09 Jun 2020 18:51:01 GMT
< Date: Tue, 09 Jun 2020 18:51:01 GMT
< Connection: Keep-Alive
<
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>

You don't have permission to access "http&#58;&#47;&#47;cdn&#45;ubi&#46;redhat&#46;com&#47;content&#47;publicm&#47;ubi&#47;dist&#47;ubi8&#47;8&#47;x86&#95;64&#47;baseosoms&#47;repodata&#47;repmd&#46;xml" on this server.<P>
Reference&#32;&#35;18&#46;9c02655f&#46;1591728661&#46;68045495
</BODY>
</HTML>

Screenshots (If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

Output of uname -a or ver: $ uname -a Linux minikube 4.19.107 #1 SMP Thu May 28 15:07:17 PDT 2020 x86_64 GNU/Linux
Output of java -version: λ java -version java version "1.8.0_152" Java(TM) SE Runtime Environment (build 1.8.0_152-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode)
GraalVM version (if different from Java):
Quarkus version or git rev: quarkus-maven-plugin:1.5.0.Final
Build tool (ie. output of mvnw --version or gradlew --version): λ mvn -v Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T21:00:29+02:00) Maven home: C:\Users\tool\apache-maven-3.6.1\bin.. Java version: 1.8.0_131, vendor: Oracle Corporation, runtime: C:\Users\tool\java\jre Default locale: de_DE, platform encoding: Cp1252 OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"

Additional context I updated /etc/ssl/certs/cacert.pem without success. Also, when logged in via terminal, this helped - but not with Maven:

cat ~/.curlrc
insecure

quarkusbot commented 4 years ago

/cc @quarkusio/devtools

ambition-consulting commented 4 years ago

11:07:48,943 [main] [INFO] --- quarkus-maven-plugin:1.5.0.Final:build (default) @ config-quickstart ---
11:07:51,162 [main] [WARNING] [io.quarkus.deployment.QuarkusAugmentor] Using Java versions older than 11 to build Quarkus applications is deprecated and will be disallowed in a future release!
11:07:51,702 [main] [INFO] [org.jboss.threads] JBoss Threads version 3.1.1.Final
11:07:52,623 [build-36] [WARNING] [io.quarkus.kubernetes.deployment.KubernetesProcessor] No registry was set for the container image, so 'ImagePullPolicy' is being force-set to 'IfNotPresent'.
[INFO] Checking for existing resources in: C:\Users\src\config-quickstart\src\main\kubernetes.
11:07:53,028 [build-32] [INFO] [io.quarkus.deployment.pkg.steps.JarResultBuildStep] Building thin jar: C:\Users\src\config-quickstart\target\config-quickstart-1.0-SNAPSHOT-runner.jar
11:07:53,857 [build-36] [INFO] [io.quarkus.kubernetes.deployment.KubernetesProcessor] Generated the Kubernetes manifests: '\kubernetes.yml,\kubernetes.json' in 'C:\Users\src\config-quickstart\target\kubernetes'
11:07:54,008 [build-26] [INFO] [io.quarkus.kubernetes.deployment.KubernetesDeploy] Kubernetes API Server at 'https://192.168.99.100:8443/' successfully contacted.
11:07:54,716 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerWorking] Docker daemon found. Version:'19.03.8'
11:07:54,734 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Building docker image for jar.
11:07:55,392 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Sending build context to Docker daemon  10.57MB
11:07:55,409 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]
11:07:55,420 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Step 1/11 : FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1
11:07:55,448 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> 91d23a64fdf2
11:07:55,463 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Step 2/11 : ARG JAVA_PACKAGE=java-11-openjdk-headless
11:07:55,493 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> Using cache
11:07:55,520 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> 5117ddec859b
11:07:55,548 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Step 3/11 : ARG RUN_JAVA_VERSION=1.3.8
11:07:55,564 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> Using cache
11:07:55,579 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> 87f637cd4953
11:07:55,596 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Step 4/11 : ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
11:07:55,614 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> Using cache
11:07:55,628 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> cd7d06f38b4a
11:07:55,643 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Step 5/11 : RUN microdnf install curl ca-certificates ${JAVA_PACKAGE}     && microdnf update     && microdnf clean all     && mkdir /deployments
     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security
11:07:55,724 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]  ---> Running in 01061fc0d63e
11:07:56,697 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]
11:07:56,727 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] (process:6): librhsm-WARNING **: 09:07:49.472: Found 0 entitlement certificates
11:07:56,759 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]
11:07:56,783 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] (process:6): librhsm-WARNING **: 09:07:49.480: Found 0 entitlement certificates
11:07:56,810 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor]
11:07:56,824 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] (process:6): libdnf-WARNING **: 09:07:49.483: Loading "/etc/dnf/dnf.conf": IniParser: Can't open file
11:07:56,871 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] Downloading metadata...
11:07:57,104 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] error: cannot update repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
11:07:57,297 [build-15] [INFO] [io.quarkus.container.image.docker.deployment.DockerProcessor] The command '/bin/sh -c microdnf install curl ca-certificates ${JAVA_PACKAGE}     && microdnf update     && microdnf clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security' returned a non-zero code: 1
11:07:57,389 [main] [INFO] ------------------------------------------------------------------------
11:07:57,400 [main] [INFO] BUILD FAILURE
11:07:57,405 [main] [INFO] ------------------------------------------------------------------------

ambition-consulting commented 4 years ago

Might relate to https://access.redhat.com/discussions/4524081

ambition-consulting commented 4 years ago

$ subscription-manager
-bash: subscription-manager: command not found`

This problem might go to Minikube instead? Maybe you could allow curl to work insecure for that one repository as a temporary solution?

ambition-consulting commented 4 years ago

Or maybe you should remove the dependency to red hat. I can't even reply in their forum, since that requires a subscription? wtf...

geoand commented 4 years ago

@maxandersen or @cescoffier do you have any idea what's going here?

maxandersen commented 4 years ago

that's new.

We shouldn't see our default community docker images depend on subscription manager. If we do that's a bug.

geoand commented 4 years ago

@ambition-consulting what base image are you using?

maxandersen commented 4 years ago

looks like whatever defualt we use.

Which is what surprise me since deploy minikube haven't been issue before.

geoand commented 4 years ago

I am not sure it's the default because when I tried minikube successfully multiple times and I don't have any sort subscription setup

ambition-consulting commented 4 years ago

@geoand I am using whatever ships with the newest Minikube v1.11.0 (released 12 days ago).

$ uname -a Linux minikube 4.19.107 #1 SMP Thu May 28 15:07:17 PDT 2020 x86_64 GNU/Linux

I am not sure, what your plusing is exactly using internally. I simply ssh'ed from Windows into the Minikube VM with "minikube ssh" and found the same problem with curl, that I found when executing your maven plugin from Windows.

Please let me know, how exactly I can provide you the missing information.

Also, tomorrow I will follow up a suggestion by the minikube team of using the docker-driver instead of the Virtualbox driver. I was assuming for the image to be the same, that's run with whatever driver, but maybe I am wrong.

geoand commented 4 years ago

Can you please try doing the following:

mvn clean package -DskipTests
docker build -f src/main/docker/Dockerfile.jvm -t quarkus/${project_artifactId}-jvm .

and paste the output?

maxandersen commented 4 years ago

It's weird. It's just going microdnf update which download stuff that is publically available behind proper Https URLs with certificates.

@geoand did you fail to reproduce on latest minikube or other version ?

maxandersen commented 4 years ago

Btw. "subscription" to comment is just developer.redhat.com which is free.

geoand commented 4 years ago

It's weird. It's just going microdnf update which download stuff that is publically available behind proper Https URLs with certificates.

@geoand did you fail to reproduce on latest minikube or other version ?

I am using 1.9.x, but let me try the latest

geoand commented 4 years ago

I just tested with the latest minikube (minikube version: v1.11.0) and with a brand new Quarkus project created using 1.5.0.Final and the quarkus-minikube and quarkus-container-image-docker extensions.

eval $(minikube -p minikube docker-env)
mvn clean package -DskipTests -Dquarkus.kubernetes.deploy=true

worked flawlesly.

ambition-consulting commented 4 years ago

@geoand same problem:

C:\Users\src\config-quickstart
λ mvn clean package -DskipTests
15:14:44,659 [main] [INFO] Scanning for projects...
15:14:44,807 [main] [INFO]
15:14:44,811 [main] [INFO] ---------------------< org.acme:config-quickstart >---------------------
15:14:44,824 [main] [INFO] Building config-quickstart 1.0-SNAPSHOT
15:14:44,835 [main] [INFO] --------------------------------[ jar ]---------------------------------
15:14:46,192 [main] [INFO]
15:14:46,200 [main] [INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ config-quickstart ---
15:14:46,280 [main] [INFO] Deleting C:\Users\src\config-quickstart\target
15:14:46,375 [main] [INFO]
15:14:46,378 [main] [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ config-quickstart ---
15:14:46,531 [main] [INFO] Using 'UTF-8' encoding to copy filtered resources.
15:14:46,546 [main] [INFO] Copying 2 resources
15:14:46,569 [main] [INFO]
15:14:46,573 [main] [INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ config-quickstart ---
15:14:46,916 [main] [INFO] Changes detected - recompiling the module!
15:14:46,934 [main] [INFO] Compiling 1 source file to C:\Users\src\config-quickstart\target\classes
15:14:47,581 [main] [INFO]
15:14:47,585 [main] [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ config-quickstart ---
15:14:47,614 [main] [INFO] Using 'UTF-8' encoding to copy filtered resources.
15:14:47,626 [main] [INFO] skip non existing resourceDirectory C:\Users\src\config-quickstart\src\test\resources
15:14:47,646 [main] [INFO]
15:14:47,663 [main] [INFO] --- maven-compiler-plugin:3.8.1:testCompile (default-testCompile) @ config-quickstart ---
15:14:47,756 [main] [INFO] Changes detected - recompiling the module!
15:14:47,780 [main] [INFO] Compiling 2 source files to C:\Users\src\config-quickstart\target\test-classes
15:14:48,251 [main] [INFO]
15:14:48,254 [main] [INFO] --- maven-surefire-plugin:2.22.1:test (default-test) @ config-quickstart ---
15:14:48,705 [main] [INFO] Tests are skipped.
15:14:48,711 [main] [INFO]
15:14:48,714 [main] [INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ config-quickstart ---
15:14:48,886 [main] [INFO] Building jar: C:\Users\src\config-quickstart\target\config-quickstart-1.0-SNAPSHOT.jar
15:14:48,921 [main] [INFO]
15:14:48,926 [main] [INFO] --- quarkus-maven-plugin:1.5.0.Final:build (default) @ config-quickstart ---
15:14:51,446 [main] [WARNING] [io.quarkus.deployment.QuarkusAugmentor] Using Java versions older than 11 to build Quarkus applications is deprecated and will be disallowed in a future release!
15:14:52,115 [main] [INFO] [org.jboss.threads] JBoss Threads version 3.1.1.Final
15:14:53,252 [build-41] [WARNING] [io.quarkus.kubernetes.deployment.KubernetesProcessor] No registry was set for the container image, so 'ImagePullPolicy' is being force-set to 'IfNotPresent'.
[INFO] Checking for existing resources in: C:\Users\src\config-quickstart\src\main\kubernetes.
15:14:53,681 [build-13] [INFO] [io.quarkus.deployment.pkg.steps.JarResultBuildStep] Building thin jar: C:\Users\src\config-quickstart\target\config-quickstart-1.0-SNAPSHOT-runner.jar
15:14:54,660 [build-41] [INFO] [io.quarkus.kubernetes.deployment.KubernetesProcessor] Generated the Kubernetes manifests: '\minikube.json,\kubernetes.yml,\kubernetes.json,\minikube.yml' in 'C:\Users\src\config-quickstart\target\kubernetes'
15:14:54,750 [main] [INFO] [io.quarkus.deployment.QuarkusAugmentor] Quarkus augmentation completed in 3282ms
15:14:54,779 [main] [INFO] ------------------------------------------------------------------------
15:14:54,794 [main] [INFO] BUILD SUCCESS
15:14:54,800 [main] [INFO] ------------------------------------------------------------------------
15:14:54,823 [main] [INFO] Total time:  10.194 s
15:14:54,830 [main] [INFO] Finished at: 2020-06-12T15:14:54+02:00
15:14:54,838 [main] [INFO] ------------------------------------------------------------------------

C:\Users\src\config-quickstart
λ docker build -f src/main/docker/Dockerfile.jvm -t quarkus/config-quickstart-jvm .
Sending build context to Docker daemon  10.57MB
Step 1/11 : FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1
Get https://registry.access.redhat.com/v2/: x509: certificate signed by unknown authority

C:\Users\src\config-quickstart
λ minikube start
* minikube v1.11.0 auf Microsoft Windows 7 Enterprise Service Pack 1 6.1.7601 Build 7601
  - MINIKUBE_ACTIVE_DOCKERD=minikube
* Automatically selected the virtualbox driver
* Starting control plane node minikube in cluster minikube
* Creating virtualbox VM (CPUs=2, Memory=4000MB, Disk=20000MB) ...
* Gefundene Netzwerkoptionen:
  - NO_PROXY=192.168.99.100
  - no_proxy=192.168.99.100
! This VM is having trouble accessing https://k8s.gcr.io
* To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
* Vorbereiten von Kubernetes v1.18.3 auf Docker 19.03.8...
  - env NO_PROXY=192.168.99.100
* Verifying Kubernetes components...
* Enabled addons: default-storageclass, storage-provisioner
* Done! kubectl is now configured to use "minikube"

C:\Users\src\config-quickstart
λ minikube docker-env
SET DOCKER_TLS_VERIFY=1
SET DOCKER_HOST=tcp://192.168.99.101:2376
SET DOCKER_CERT_PATH=C:\Users\.minikube\certs
SET MINIKUBE_ACTIVE_DOCKERD=minikube
REM To point your shell to minikube's docker-daemon, run:
REM @FOR /f "tokens=*" %i IN ('minikube -p minikube docker-env') DO @%i

C:\Users\src\config-quickstart
λ SET DOCKER_HOST=tcp://192.168.99.101:2376

C:\Users\src\config-quickstart
λ SET DOCKER_CERT_PATH=C:\Users\.minikube\certs

C:\Users\src\config-quickstart
λ SET MINIKUBE_ACTIVE_DOCKERD=minikube

C:\Users\src\config-quickstart
λ @FOR /f "tokens=*" %i IN ('minikube -p minikube docker-env') DO @%i

C:\Users\src\config-quickstart
λ docker build -f src/main/docker/Dockerfile.jvm -t quarkus/config-quickstart-jvm .
Sending build context to Docker daemon  10.57MB
Step 1/11 : FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1
8.1: Pulling from ubi8/ubi-minimal
b26afdf22be4: Pull complete
218f593046ab: Pull complete
Digest: sha256:df6f9e5d689e4a0b295ff12abc6e2ae2932a1f3e479ae1124ab76cf40c3a8cdd
Status: Downloaded newer image for registry.access.redhat.com/ubi8/ubi-minimal:8.1
 ---> 91d23a64fdf2
Step 2/11 : ARG JAVA_PACKAGE=java-11-openjdk-headless
 ---> Running in 93a95849570c
Removing intermediate container 93a95849570c
 ---> c20281c063e9
Step 3/11 : ARG RUN_JAVA_VERSION=1.3.8
 ---> Running in ce9ad07ab063
Removing intermediate container ce9ad07ab063
 ---> 2da4b0407790
Step 4/11 : ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
 ---> Running in 185ac37dcfdd
Removing intermediate container 185ac37dcfdd
 ---> 2912b3b2e039
Step 5/11 : RUN microdnf install curl ca-certificates ${JAVA_PACKAGE}     && microdnf update     && microdnf clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security
 ---> Running in 4f474b407a64

(process:8): librhsm-WARNING **: 13:20:46.195: Found 0 entitlement certificates

(process:8): librhsm-WARNING **: 13:20:46.199: Found 0 entitlement certificates

(process:8): libdnf-WARNING **: 13:20:46.200: Loading "/etc/dnf/dnf.conf": IniParser: Can't open file
Downloading metadata...
error: cannot update repo 'ubi-8-baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
The command '/bin/sh -c microdnf install curl ca-certificates ${JAVA_PACKAGE}     && microdnf update     && microdnf clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security' returned a non-zero code: 1

Please note, that before my environment was set up for docker-machine, where I have not yet downloaded the required certificates for registry.access.redhat.com.

ambition-consulting commented 4 years ago

Also, I recently had quarkus-kubernetes extension running, but replacing that with quarkus-minikube extension did not help either.

ambition-consulting commented 4 years ago

Also, we are behind a fairly annoying bluecoat proxy - not sure if that is a problem with https://cdn-ubi.redhat.com/

Question, what is this about?

(process:6): librhsm-WARNING **: 13:28:02.739: Found 0 entitlement certificates

(process:6): librhsm-WARNING **: 13:28:02.743: Found 0 entitlement certificates

(process:6): libdnf-WARNING **: 13:28:02.744: Loading "/etc/dnf/dnf.conf": IniParser: Can't open file

ambition-consulting commented 4 years ago

And regarding the redhat forum - I have registered and logged in, but cannot write, maybe because it is labelled Red Hat Enterprise Linux? No idea, but I cannot respond and contribute.

ambition-consulting commented 4 years ago

Also, changing the driver to docker driver did not work - probably because I cannot run docker in elevated mode... so I am back to Virtualbox.

ambition-consulting commented 4 years ago

Adding to the Dockerfile

RUN curl https://www.google.dom --insecure

results in

Sending build context to Docker daemon  10.57MB
Step 1/13 : FROM registry.access.redhat.com/ubi8/ubi-minimal:8.1
 ---> 91d23a64fdf2
Step 2/13 : ARG JAVA_PACKAGE=java-11-openjdk-headless
 ---> Using cache
 ---> c20281c063e9
Step 3/13 : ARG RUN_JAVA_VERSION=1.3.8
 ---> Using cache
 ---> 2da4b0407790
Step 4/13 : ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
 ---> Using cache
 ---> 2912b3b2e039
Step 5/13 : RUN curl https://www.google.dom --insecure
 ---> Running in a30344cc2f92
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: www.google.dom
The command '/bin/sh -c curl https://www.google.dom --insecure' returned a non-zero code: 6

So I guess maybe it's about connectivity in general.

ambition-consulting commented 4 years ago

Or maybe not, I am confused:

C:\Users\src\config-quickstart
λ minikube ssh
                         _             _
            _         _ ( )           ( )
  ___ ___  (_)  ___  (_)| |/')  _   _ | |_      __
/' _ ` _ `\| |/' _ `\| || , <  ( ) ( )| '_`\  /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )(  ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)

$ curl www.google.com
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp" name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="b9+u8lQxjDCE2WJaHeq80Q==">(function(){window.google={kEI:'AZTjXsmlJ8KprgT2m5Yo',kEXPI:'0,202123,3,4,32,1151585,5662,730,224,3656,1448,207,1245,1959,10,1226,364,1499,576,241,383,246,5,1306,48,554,1140,1217,718,249,3,134,142,68,72,74,43,3,347,379,1122623,1197704,445,78,11,329029,1294,12383,4855,32691,15248,867,28684,9188,8384,4859,1361,9290,3022,2822,1924,6,11027,1808,4020,978,4788,1,3142,5297,2054,920,873,1217,5760,3645,1142,7861,2303,3221,4517,2778,919,2277,8,2796,1593,1279,2212,530,149,1943,517,1466,58,790,3466,312,1135,1,3,2063,606,1839,184,1777,143,377,1946,1031,1,1198,94,327,1284,16,2927,2247,473,1339,748,1039,603,2624,1990,855,9,5597,469,6286,4455,641,2449,2459,1226,1743,3654,1274,108,591,2816,908,2,940,973,1642,2397,2896,2523,916,1135,1,839,1337,666,432,3,346,1200,865,1,372,3545,707,148,189,1667,1645,503,1,1986,27,130,1,2093,1496,496,463,1487,

...

ambition-consulting commented 4 years ago

Adding the intercepting proxy PEM to minikube trusted certs did not help.

ambition-consulting commented 4 years ago

Changed my Dockerfile to using UBI base with subscription, now I got

C:\Users\src\config-quickstart
λ docker build -f src/main/docker/Dockerfile.jvm -t quarkus/config-quickstart-jvm .
Sending build context to Docker daemon  10.59MB
Step 1/12 : FROM registry.access.redhat.com/ubi8/ubi:8.1
 ---> 8121a9f5303b
Step 2/12 : ARG JAVA_PACKAGE=java-11-openjdk-headless
 ---> Using cache
 ---> bef1068e750f
Step 3/12 : ARG RUN_JAVA_VERSION=1.3.8
 ---> Using cache
 ---> 0eb8bcddca7f
Step 4/12 : RUN subscription-manager register --username ambition.consulting --password whatever --auto-attach
 ---> Running in 6559b3d28482
Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: 826b4a35-af05-4d9f-921b-29b5b1de9245
The registered system name is: c6feedc4030e
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

Removing intermediate container 6559b3d28482
 ---> 198bf991e4ce
Step 5/12 : ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'
 ---> Running in 3b5a433fe473
Removing intermediate container 3b5a433fe473
 ---> 53837a38f2e4
Step 6/12 : RUN yum install curl ca-certificates ${JAVA_PACKAGE} --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos     && yum update     && yum clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security
 ---> Running in b8d3583f4f45
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStre 1.9 MB/s |  18 MB     00:09
Red Hat Enterprise Linux 8 for x86_64 - BaseOS  2.0 MB/s |  18 MB     00:09
Red Hat Universal Base Image 8 (RPMs) - BaseOS  0.0  B/s |   0  B     00:00
Failed to set locale, defaulting to C.UTF-8
Failed to download metadata for repo 'ubi-8-baseos'
Error: Failed to download metadata for repo 'ubi-8-baseos'
The command '/bin/sh -c yum install curl ca-certificates ${JAVA_PACKAGE} --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos     && yum update     && yum clean all     && mkdir /deployments     && chown 1001 /deployments     && chmod "g+rwX" /deployments     && chown 1001:root /deployments     && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh     && chown 1001 /deployments/run-java.sh     && chmod 540 /deployments/run-java.sh     && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security' returned a non-zero code: 1

ambition-consulting commented 4 years ago

Red Hat Enterprise Linux 8 for x86_64 - BaseOS 2.0 MB/s | 18 MB 00:09

Success.

Red Hat Universal Base Image 8 (RPMs) - BaseOS 0.0 B/s | 0 B 00:00

Failure.

What is so special about this image?

geoand commented 4 years ago

I still haven't been able to reproduce any of that.

@maxandersen if you could give it a quick spin when you get a chance it would be great

On Fri, Jun 12, 2020, 18:40 John-Paul Cunliffe notifications@github.com wrote:

Changed my Dockerfile to using UBI base with subscription, now I got

C:\Users\src\config-quickstart

λ docker build -f src/main/docker/Dockerfile.jvm -t quarkus/config-quickstart-jvm .

Sending build context to Docker daemon 10.59MB

Step 1/12 : FROM registry.access.redhat.com/ubi8/ubi:8.1

---> 8121a9f5303b

Step 2/12 : ARG JAVA_PACKAGE=java-11-openjdk-headless

---> Using cache

---> bef1068e750f

Step 3/12 : ARG RUN_JAVA_VERSION=1.3.8

---> Using cache

---> 0eb8bcddca7f

Step 4/12 : RUN subscription-manager register --username ambition.consulting --password whatever --auto-attach

---> Running in 6559b3d28482

Registering to: subscription.rhsm.redhat.com:443/subscription

The system has been registered with ID: 826b4a35-af05-4d9f-921b-29b5b1de9245

The registered system name is: c6feedc4030e

Installed Product Current Status:

Product Name: Red Hat Enterprise Linux for x86_64

Status: Subscribed

Removing intermediate container 6559b3d28482

---> 198bf991e4ce

Step 5/12 : ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'

---> Running in 3b5a433fe473

Removing intermediate container 3b5a433fe473

---> 53837a38f2e4

Step 6/12 : RUN yum install curl ca-certificates ${JAVA_PACKAGE} --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos && yum update && yum clean all && mkdir /deployments && chown 1001 /deployments && chmod "g+rwX" /deployments && chown 1001:root /deployments && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh && chown 1001 /deployments/run-java.sh && chmod 540 /deployments/run-java.sh && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security

---> Running in b8d3583f4f45

Updating Subscription Management repositories.

Red Hat Enterprise Linux 8 for x86_64 - AppStre 1.9 MB/s | 18 MB 00:09

Red Hat Enterprise Linux 8 for x86_64 - BaseOS 2.0 MB/s | 18 MB 00:09

Red Hat Universal Base Image 8 (RPMs) - BaseOS 0.0 B/s | 0 B 00:00

Failed to set locale, defaulting to C.UTF-8

Failed to download metadata for repo 'ubi-8-baseos'

Error: Failed to download metadata for repo 'ubi-8-baseos'

The command '/bin/sh -c yum install curl ca-certificates ${JAVA_PACKAGE} --enablerepo=ubi-8-appstream --enablerepo=ubi-8-baseos && yum update && yum clean all && mkdir /deployments && chown 1001 /deployments && chmod "g+rwX" /deployments && chown 1001:root /deployments && curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh && chown 1001 /deployments/run-java.sh && chmod 540 /deployments/run-java.sh && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security' returned a non-zero code: 1

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/quarkusio/quarkus/issues/9893#issuecomment-643341238, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABBMDP2NLCDSHJIYL656V53RWJD73ANCNFSM4NZVXRCA .

ambition-consulting commented 4 years ago

Ok, finally I found the solution....

As suspected, our SSL intercepting proxy is causing a problem again - and just adding it to the Linux Virtualbox host was not enough for the isolated docker container underneath accepting it. By copying the intercepting SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image to /etc/pki/ca-trust/source/anchors/, and running update-ca-trust, curl will now now longer mind the sniffing proxy and just works:

[root@0fa71125f5bd /]# yum install curl
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                                                      2.6 MB/s |  18 MB     00:06
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                                                         1.9 MB/s |  18 MB     00:09
Red Hat Universal Base Image 8 (RPMs) - BaseOS                                                                                                                                                                552 kB/s | 766 kB     00:01
Red Hat Universal Base Image 8 (RPMs) - AppStream                                                                                                                                                             1.3 MB/s | 3.8 MB     00:02
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder                                                                                                                                                     9.1 kB/s |  11 kB     00:01
Package curl-7.61.1-12.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

In case you are also targeting big companies, which often use this kind of intercepting proxy, then I highly recommend some sort of automatism for intercepting proxies.

Or maybe there already is?

geoand commented 4 years ago

Thanks for the excellent analysis!

We indeed need to look into how to make things easier on that front

maxandersen commented 4 years ago

thanks for figuring out the issue and coming back. I just want to make sure I understood it right; your problem was caused by a proxy/firewall that rewrites/rewires the certifictates using non-trustable certificates - thus the error is actually correct (as there are basically a man-in-the-middle-attack ?

And your (valid) solution is to burn into the image the keys of the proxy/firewall making the image explicitly trust this resource ?

If I grok it right; you would have the exact same issue if your docker file or even app would need to access any other https resource on the internet ? is that true?

(and yes, we definitely should make sure to document/make it easier - but just want to be sure to identify the scale of the issue - i.e. if unqiue for red hat servers or in general (almost) any https access you want to do ...I highly suspect the latter)

ambition-consulting commented 4 years ago

@maxandersen you are right, except that for some unknown reason many other downloads had no problem with the man-in-the-middle attack before the abovementioned URL. I can try to get some ssl debug/trace message on from the VM with/without the trusted certificate.

ambition-consulting commented 4 years ago

Please note the different verify codes below. I do not know what most of this means, but clearly there is a fundamental difference between downloads where the inception works, and those where it does not. Personally I wouldn't be suprised, if cdn-ubi.redhat.com and cdn.redhat.com have different "SSL policies" - meaning the former does not accept the interception, whereas the latter does.

cdn-ubi.redhat.com downloads do not work without trusting the intercepting proxy

docker run -it frapsoft/openssl s_client -connect cdn-ubi.redhat.com:443 -prexit
CONNECTED(00000003)
depth=2 C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./CN=*.redhat.com
   i:/C=US/O=Cloud Services/OU=Operations/CN=SSL-SG1-GDEFR3
 1 s:/C=US/O=Cloud Services/OU=Operations/CN=SSL-SG1-GDEFR3
   i:/C=US/O=Blue Coat Systems, Inc./CN=Cloud Services CA - G2
 2 s:/C=US/O=Blue Coat Systems, Inc./CN=Cloud Services CA - G2
   i:/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdzCCA1+gAwIBAgIIKhbXBAAAAAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxFzAVBgNVBAoMDkNsb3VkIFNlcnZpY2VzMRMwEQYDVQQLDApPcGVyYXRp
b25zMRcwFQYDVQQDDA5TU0wtU0cxLUdERUZSMzAeFw0yMDAxMTMwMDAwMDBaFw0y
MTA0MTMxMjAwMDBaMGcxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEV
MBMGA1UEAwwMKi5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0sgfXZ5R+TchYhigWguR8UuHqVOuHuQn91wAPMECj/+dhFMVgtroZMs0
bVG2adhrZsyOLdW28qUQw/ICgChakAINDAbQmXQzbXumA1ozY4qJmxB57BisVsUQ
/FzEbf5giE/Uv3Bu7LLYkMhuPP8u8T6KjJ9rx892PtUQJe3XSnOaVolsvXELBPbO
ezKuuh3oDhfzBiy0hmULWoms6gTzHQiE/on/BwcoIclmDyDQLQ8NrKsoiUkmzGwD
ZOPb/roYDQ5Q+f0CesVPlFLO0pa4bDUJ0eeFYQuf20MiGcRBojlR1XRgymMb0sjQ
cZ83NL3KM6PghxlFoRGqp3/M/n/J2wIDAQABo4IBODCCATQwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBeAwHwYDVR0jBBgwFoAUd7qRmCUTT+zWm9HLN+QCCZj+PxcwIwYD
VR0RBBwwGoIMKi5yZWRoYXQuY29tggpyZWRoYXQuY29tMF8GCWCGSAGG+EIBDQRS
FlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNCREMzOTcwQkphbiAxMyAwMDowMDow
MCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAyMDIxIEdNVDBzBgNVHSAEbDBqMGgG
BFUdIAAwYDBeBggrBgEFBQcCAjBSGlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNC
REMzOTcwQkphbiAxMyAwMDowMDowMCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAy
MDIxIEdNVDANBgkqhkiG9w0BAQsFAAOCAQEAVGf8A39Sb1GrY107RjXgHkcIMjLS
TsntiI3aesYZl39CqRk2az+JM9b21LKFnCy+PRV0FBLHV7s37BvRRadl+R6gLopT
WAdFiT+VtPi5H7gWf+glHPKnnFrgxpCII1EkF6712p5yiN8am0TfoaI61RnsgcoR
a2//XULyavLN2gKfPQZvTXo9taXVH9r68uRojw/xNdUCC5GtdXeVkRlrGwdo8E8C
pfLUtxIBVezOVfRmGRWUtHcQpT/kKNiBT7XpSv+KtF5Rz9kLrHGnDmCn7YVUjAA6
WCprqs9n5ufx/pxHaUbRlyFBz/9kk1ZEA/aGV8LXAuuKtAPThNS/dHXnhQ==
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./CN=*.redhat.com
issuer=/C=US/O=Cloud Services/OU=Operations/CN=SSL-SG1-GDEFR3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3855 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3B7CCD391A170C80990917972C70F35B8887C19C28F8E0E8281E757FD4CAA209
    Session-ID-ctx:
    Master-Key: 0CBD8379B6A8CCD5F28BA2CDA018EA9BEE7B7054F4AFC2C3384040B8F8A255F59B42BC11CAB9BB1EFA94938ABAE0FAAE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592225447
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./CN=*.redhat.com
   i:/C=US/O=Cloud Services/OU=Operations/CN=SSL-SG1-GDEFR3
 1 s:/C=US/O=Cloud Services/OU=Operations/CN=SSL-SG1-GDEFR3
   i:/C=US/O=Blue Coat Systems, Inc./CN=Cloud Services CA - G2
 2 s:/C=US/O=Blue Coat Systems, Inc./CN=Cloud Services CA - G2
   i:/C=US/O=BlueCoat Systems, Inc./CN=Cloud Services Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdzCCA1+gAwIBAgIIKhbXBAAAAAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxFzAVBgNVBAoMDkNsb3VkIFNlcnZpY2VzMRMwEQYDVQQLDApPcGVyYXRp
b25zMRcwFQYDVQQDDA5TU0wtU0cxLUdERUZSMzAeFw0yMDAxMTMwMDAwMDBaFw0y
MTA0MTMxMjAwMDBaMGcxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEV
MBMGA1UEAwwMKi5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0sgfXZ5R+TchYhigWguR8UuHqVOuHuQn91wAPMECj/+dhFMVgtroZMs0
bVG2adhrZsyOLdW28qUQw/ICgChakAINDAbQmXQzbXumA1ozY4qJmxB57BisVsUQ
/FzEbf5giE/Uv3Bu7LLYkMhuPP8u8T6KjJ9rx892PtUQJe3XSnOaVolsvXELBPbO
ezKuuh3oDhfzBiy0hmULWoms6gTzHQiE/on/BwcoIclmDyDQLQ8NrKsoiUkmzGwD
ZOPb/roYDQ5Q+f0CesVPlFLO0pa4bDUJ0eeFYQuf20MiGcRBojlR1XRgymMb0sjQ
cZ83NL3KM6PghxlFoRGqp3/M/n/J2wIDAQABo4IBODCCATQwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBeAwHwYDVR0jBBgwFoAUd7qRmCUTT+zWm9HLN+QCCZj+PxcwIwYD
VR0RBBwwGoIMKi5yZWRoYXQuY29tggpyZWRoYXQuY29tMF8GCWCGSAGG+EIBDQRS
FlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNCREMzOTcwQkphbiAxMyAwMDowMDow
MCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAyMDIxIEdNVDBzBgNVHSAEbDBqMGgG
BFUdIAAwYDBeBggrBgEFBQcCAjBSGlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNC
REMzOTcwQkphbiAxMyAwMDowMDowMCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAy
MDIxIEdNVDANBgkqhkiG9w0BAQsFAAOCAQEAVGf8A39Sb1GrY107RjXgHkcIMjLS
TsntiI3aesYZl39CqRk2az+JM9b21LKFnCy+PRV0FBLHV7s37BvRRadl+R6gLopT
WAdFiT+VtPi5H7gWf+glHPKnnFrgxpCII1EkF6712p5yiN8am0TfoaI61RnsgcoR
a2//XULyavLN2gKfPQZvTXo9taXVH9r68uRojw/xNdUCC5GtdXeVkRlrGwdo8E8C
pfLUtxIBVezOVfRmGRWUtHcQpT/kKNiBT7XpSv+KtF5Rz9kLrHGnDmCn7YVUjAA6
WCprqs9n5ufx/pxHaUbRlyFBz/9kk1ZEA/aGV8LXAuuKtAPThNS/dHXnhQ==
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./CN=*.redhat.com
issuer=/C=US/O=Cloud Services/OU=Operations/CN=SSL-SG1-GDEFR3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3855 bytes and written 464 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3B7CCD391A170C80990917972C70F35B8887C19C28F8E0E8281E757FD4CAA209
    Session-ID-ctx:
    Master-Key: 0CBD8379B6A8CCD5F28BA2CDA018EA9BEE7B7054F4AFC2C3384040B8F8A255F59B42BC11CAB9BB1EFA94938ABAE0FAAE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592225447
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

cdn.redhat.com downloads work without trusting the intercepting proxy

docker run -it frapsoft/openssl s_client -connect cdn.redhat.com:443 -prexit
CONNECTED(00000003)
depth=2 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = Entitlement Master CA, emailAddress = ca-support@redhat.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=cdn.redhat.com
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
 1 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
 2 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF9zCCA9+gAwIBAgICAdowDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAlVT
MRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEWMBQGA1UECgwNUmVkIEhhdCwgSW5j
LjEYMBYGA1UECwwPUmVkIEhhdCBOZXR3b3JrMTEwLwYDVQQDDChSZWQgSGF0IEVu
dGl0bGVtZW50IE9wZXJhdGlvbnMgQXV0aG9yaXR5MSQwIgYJKoZIhvcNAQkBFhVj
YS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTkxMjA1MTIyOTM2WhcNMjIxMjA0MTIy
OTM2WjBxMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAU
BgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEX
MBUGA1UEAwwOY2RuLnJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQC3rUXhLHDRJUTZ0zMOB7tFN9SfEORhWXc4f2imNk+BaPq9XklgkkQi
nZH5RpfgaGd6LW9crqq8FbU+UQocY73PAo/t8rJ26Ol9O+8pG1R6oeClhwWKYvaN
iB6kDC1W+Squ9L8MGWsWAKzXwZ+FW2FNzyanLaX7Yxw5r+4B6oTxvakXFQIzecBh
Tbw8BKNU+mWQpnMoZ6q2EO5TdOyiakG/flAXDQMWhfhbkswYXYNPleyPqBdH9ZqF
mKvzo3+d5xpCggkXJ7PTTSbC+EzLSUlVnA42RvBgtpNi+E8lu/q+e8GFKULVaipG
2YCqnD2Wf269T/eI1SLUWxhpWXAjEiHjUMoRWhOoVVSzkuyOkDf+DPt6cor4IwgF
lZ/tAMdykQDXdR2sTC2wslsS8+X5qYpyu+VqiRYx6eLJPTDOdnRUGlOCPVT+mUth
x7Xab+wDYQxL38EPtiX1/5ttZvCxQohR3t46ezF/Ugu/T1A/EpkINDe0lWFKxWhw
c9MEUPHPNUfzUBMTQJehsPiLLvXuWbE8Y2xqA2uZgplJvDoGuhlQi1rR8YgpLzeN
RAX+RrzxLv0v7p8Cl51amwPpgcZtbBxUB6cxhxkaNULB9jeqNd7Pd+enhXwCS4oZ
Cjfjl2o5GtNAqy8UDqG+zP7OqtiAiswiSx0vAO8LBxUEwR0W63VUWwIDAQABo1gw
VjATBgNVHSUEDDAKBggrBgEFBQcDATA/BgNVHREEODA2gg5jZG4ucmVkaGF0LmNv
bYIPY2RuNi5yZWRoYXQuY29tghNzdGFnZWNkbi5yZWRoYXQuY29tMA0GCSqGSIb3
DQEBCwUAA4ICAQCLsHMAFIxlqFke2E+90Kvm/zW5NamQsdiZVGBpC8hXrsCekra9
pCMwuy4HXQWgisRqaxeNr14PuNHxmKC5ZIkFfhy0flSobUJ31D9tLBNxo5WXNY+f
9wy2SmOJYH9Tlibj4+uOwIxC5HtJD0gs+HBvmsOBXvFGJLi2aTRxWWqLryfIq4GE
bwCErF7002FT3hT5TfRZVAXEr85RU3PLpGYR5RS4u1HOnd3p6A6zJ71ZBjL/fATl
ps1LHwNxyR1I4nzR2B3TDE87ivjPb8khPu5qFBlYJ8Ral4xEqo6LqsleJUXHUiXN
03iuN9J+rJMHBV/jOZWwK5Gg/dR88DvYVzuiHOrw1cMqebAUYcnPzj/++8SrfAPP
4q5+zUGKhGKcS1RgwzW2xW6qAW8e6SyJHK7hfqnzvX+AV6QRv7Pm1581W9JOBGKQ
PljPMLluDnIQy28QZKkI25pqXsG4qxHF0G6OBPQbCvURpYNEYa00do4dvQUjny9C
Wryr6kCQEGVXcPcSt/8H7GduEPTSbpDAHunBRE6i+l6yEv0mGYml1l97RJ99Rt5/
iOIiimWvqVSHjbxZvqxQgfe8z5aKMlDedakfRYz9LM4/ZB/qVub40HcBW/+A5as3
MhHGYJUOsYPhOrk3WlX2VF2KeHXhFG58KsQ+fI4ie67XQtstn4iAfRv4Tw==
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=cdn.redhat.com
issuer=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
---
Acceptable client certificate CA names
/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Candlepin Authority/emailAddress=ca-support@redhat.com
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:0x07+0x08:0x08+0x08:0x09+0x08:0x0A+0x08:0x0B+0x08:0x04+0x08:0x05+0x08:0x06+0x08:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6453 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A8F86BCE76E242AA9019A51161DA13F65FAFD106D7C13D5F0F195235295B76F4
    Session-ID-ctx:
    Master-Key: C60426A34F0D1115D64C66E040292FB2072443643A6E2B8D8571F32F4D4F37F941040AE718254B8F83D7798548875A6C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592225375
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed
---
Certificate chain
 0 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=cdn.redhat.com
   i:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
 1 s:/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
 2 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF9zCCA9+gAwIBAgICAdowDQYJKoZIhvcNAQELBQAwgbExCzAJBgNVBAYTAlVT
MRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEWMBQGA1UECgwNUmVkIEhhdCwgSW5j
LjEYMBYGA1UECwwPUmVkIEhhdCBOZXR3b3JrMTEwLwYDVQQDDChSZWQgSGF0IEVu
dGl0bGVtZW50IE9wZXJhdGlvbnMgQXV0aG9yaXR5MSQwIgYJKoZIhvcNAQkBFhVj
YS1zdXBwb3J0QHJlZGhhdC5jb20wHhcNMTkxMjA1MTIyOTM2WhcNMjIxMjA0MTIy
OTM2WjBxMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExFjAU
BgNVBAoMDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsMD1JlZCBIYXQgTmV0d29yazEX
MBUGA1UEAwwOY2RuLnJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQC3rUXhLHDRJUTZ0zMOB7tFN9SfEORhWXc4f2imNk+BaPq9XklgkkQi
nZH5RpfgaGd6LW9crqq8FbU+UQocY73PAo/t8rJ26Ol9O+8pG1R6oeClhwWKYvaN
iB6kDC1W+Squ9L8MGWsWAKzXwZ+FW2FNzyanLaX7Yxw5r+4B6oTxvakXFQIzecBh
Tbw8BKNU+mWQpnMoZ6q2EO5TdOyiakG/flAXDQMWhfhbkswYXYNPleyPqBdH9ZqF
mKvzo3+d5xpCggkXJ7PTTSbC+EzLSUlVnA42RvBgtpNi+E8lu/q+e8GFKULVaipG
2YCqnD2Wf269T/eI1SLUWxhpWXAjEiHjUMoRWhOoVVSzkuyOkDf+DPt6cor4IwgF
lZ/tAMdykQDXdR2sTC2wslsS8+X5qYpyu+VqiRYx6eLJPTDOdnRUGlOCPVT+mUth
x7Xab+wDYQxL38EPtiX1/5ttZvCxQohR3t46ezF/Ugu/T1A/EpkINDe0lWFKxWhw
c9MEUPHPNUfzUBMTQJehsPiLLvXuWbE8Y2xqA2uZgplJvDoGuhlQi1rR8YgpLzeN
RAX+RrzxLv0v7p8Cl51amwPpgcZtbBxUB6cxhxkaNULB9jeqNd7Pd+enhXwCS4oZ
Cjfjl2o5GtNAqy8UDqG+zP7OqtiAiswiSx0vAO8LBxUEwR0W63VUWwIDAQABo1gw
VjATBgNVHSUEDDAKBggrBgEFBQcDATA/BgNVHREEODA2gg5jZG4ucmVkaGF0LmNv
bYIPY2RuNi5yZWRoYXQuY29tghNzdGFnZWNkbi5yZWRoYXQuY29tMA0GCSqGSIb3
DQEBCwUAA4ICAQCLsHMAFIxlqFke2E+90Kvm/zW5NamQsdiZVGBpC8hXrsCekra9
pCMwuy4HXQWgisRqaxeNr14PuNHxmKC5ZIkFfhy0flSobUJ31D9tLBNxo5WXNY+f
9wy2SmOJYH9Tlibj4+uOwIxC5HtJD0gs+HBvmsOBXvFGJLi2aTRxWWqLryfIq4GE
bwCErF7002FT3hT5TfRZVAXEr85RU3PLpGYR5RS4u1HOnd3p6A6zJ71ZBjL/fATl
ps1LHwNxyR1I4nzR2B3TDE87ivjPb8khPu5qFBlYJ8Ral4xEqo6LqsleJUXHUiXN
03iuN9J+rJMHBV/jOZWwK5Gg/dR88DvYVzuiHOrw1cMqebAUYcnPzj/++8SrfAPP
4q5+zUGKhGKcS1RgwzW2xW6qAW8e6SyJHK7hfqnzvX+AV6QRv7Pm1581W9JOBGKQ
PljPMLluDnIQy28QZKkI25pqXsG4qxHF0G6OBPQbCvURpYNEYa00do4dvQUjny9C
Wryr6kCQEGVXcPcSt/8H7GduEPTSbpDAHunBRE6i+l6yEv0mGYml1l97RJ99Rt5/
iOIiimWvqVSHjbxZvqxQgfe8z5aKMlDedakfRYz9LM4/ZB/qVub40HcBW/+A5as3
MhHGYJUOsYPhOrk3WlX2VF2KeHXhFG58KsQ+fI4ie67XQtstn4iAfRv4Tw==
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=cdn.redhat.com
issuer=/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
---
Acceptable client certificate CA names
/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Entitlement Operations Authority/emailAddress=ca-support@redhat.com
/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=Entitlement Master CA/emailAddress=ca-support@redhat.com
/C=US/ST=North Carolina/O=Red Hat, Inc./OU=Red Hat Network/CN=Red Hat Candlepin Authority/emailAddress=ca-support@redhat.com
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:0x07+0x08:0x08+0x08:0x09+0x08:0x0A+0x08:0x0B+0x08:0x04+0x08:0x05+0x08:0x06+0x08:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6484 bytes and written 476 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A8F86BCE76E242AA9019A51161DA13F65FAFD106D7C13D5F0F195235295B76F4
    Session-ID-ctx:
    Master-Key: C60426A34F0D1115D64C66E040292FB2072443643A6E2B8D8571F32F4D4F37F941040AE718254B8F83D7798548875A6C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592225375
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

cdn-ubi.redhat.com downloads work after trusting the intercepting proxy

bash-4.4$ openssl s_client -connect cdn-ubi.redhat.com:443 -prexit
CONNECTED(00000003)
depth=3 C = US, O = "BlueCoat Systems, Inc.", CN = Cloud Services Root CA
verify return:1
depth=2 C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
verify return:1
depth=1 C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = *.redhat.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = *.redhat.com
   i:C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3
 1 s:C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3
   i:C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
 2 s:C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
   i:C = US, O = "BlueCoat Systems, Inc.", CN = Cloud Services Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdzCCA1+gAwIBAgIIKhbXBAAAAAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxFzAVBgNVBAoMDkNsb3VkIFNlcnZpY2VzMRMwEQYDVQQLDApPcGVyYXRp
b25zMRcwFQYDVQQDDA5TU0wtU0cxLUdERUZSMzAeFw0yMDAxMTMwMDAwMDBaFw0y
MTA0MTMxMjAwMDBaMGcxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEV
MBMGA1UEAwwMKi5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0sgfXZ5R+TchYhigWguR8UuHqVOuHuQn91wAPMECj/+dhFMVgtroZMs0
bVG2adhrZsyOLdW28qUQw/ICgChakAINDAbQmXQzbXumA1ozY4qJmxB57BisVsUQ
/FzEbf5giE/Uv3Bu7LLYkMhuPP8u8T6KjJ9rx892PtUQJe3XSnOaVolsvXELBPbO
ezKuuh3oDhfzBiy0hmULWoms6gTzHQiE/on/BwcoIclmDyDQLQ8NrKsoiUkmzGwD
ZOPb/roYDQ5Q+f0CesVPlFLO0pa4bDUJ0eeFYQuf20MiGcRBojlR1XRgymMb0sjQ
cZ83NL3KM6PghxlFoRGqp3/M/n/J2wIDAQABo4IBODCCATQwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBeAwHwYDVR0jBBgwFoAUd7qRmCUTT+zWm9HLN+QCCZj+PxcwIwYD
VR0RBBwwGoIMKi5yZWRoYXQuY29tggpyZWRoYXQuY29tMF8GCWCGSAGG+EIBDQRS
FlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNCREMzOTcwQkphbiAxMyAwMDowMDow
MCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAyMDIxIEdNVDBzBgNVHSAEbDBqMGgG
BFUdIAAwYDBeBggrBgEFBQcCAjBSGlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNC
REMzOTcwQkphbiAxMyAwMDowMDowMCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAy
MDIxIEdNVDANBgkqhkiG9w0BAQsFAAOCAQEAVGf8A39Sb1GrY107RjXgHkcIMjLS
TsntiI3aesYZl39CqRk2az+JM9b21LKFnCy+PRV0FBLHV7s37BvRRadl+R6gLopT
WAdFiT+VtPi5H7gWf+glHPKnnFrgxpCII1EkF6712p5yiN8am0TfoaI61RnsgcoR
a2//XULyavLN2gKfPQZvTXo9taXVH9r68uRojw/xNdUCC5GtdXeVkRlrGwdo8E8C
pfLUtxIBVezOVfRmGRWUtHcQpT/kKNiBT7XpSv+KtF5Rz9kLrHGnDmCn7YVUjAA6
WCprqs9n5ufx/pxHaUbRlyFBz/9kk1ZEA/aGV8LXAuuKtAPThNS/dHXnhQ==
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = *.redhat.com

issuer=C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3850 bytes and written 452 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 077FF8BB7DB374422B09FB9C3640D72D1CDE5B3FE20C91342D9518B3AE9FB5B6
    Session-ID-ctx:
    Master-Key: DD37CEB3995FEBF02334406225A9B36B7B1B9C35150AB63ED26BE2203B9B62EDB9EE411800709A3E314299B4F847CA7F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592227905
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
read:errno=0
---
Certificate chain
 0 s:C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = *.redhat.com
   i:C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3
 1 s:C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3
   i:C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
 2 s:C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
   i:C = US, O = "BlueCoat Systems, Inc.", CN = Cloud Services Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdzCCA1+gAwIBAgIIKhbXBAAAAAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxFzAVBgNVBAoMDkNsb3VkIFNlcnZpY2VzMRMwEQYDVQQLDApPcGVyYXRp
b25zMRcwFQYDVQQDDA5TU0wtU0cxLUdERUZSMzAeFw0yMDAxMTMwMDAwMDBaFw0y
MTA0MTMxMjAwMDBaMGcxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEV
MBMGA1UEAwwMKi5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0sgfXZ5R+TchYhigWguR8UuHqVOuHuQn91wAPMECj/+dhFMVgtroZMs0
bVG2adhrZsyOLdW28qUQw/ICgChakAINDAbQmXQzbXumA1ozY4qJmxB57BisVsUQ
/FzEbf5giE/Uv3Bu7LLYkMhuPP8u8T6KjJ9rx892PtUQJe3XSnOaVolsvXELBPbO
ezKuuh3oDhfzBiy0hmULWoms6gTzHQiE/on/BwcoIclmDyDQLQ8NrKsoiUkmzGwD
ZOPb/roYDQ5Q+f0CesVPlFLO0pa4bDUJ0eeFYQuf20MiGcRBojlR1XRgymMb0sjQ
cZ83NL3KM6PghxlFoRGqp3/M/n/J2wIDAQABo4IBODCCATQwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBeAwHwYDVR0jBBgwFoAUd7qRmCUTT+zWm9HLN+QCCZj+PxcwIwYD
VR0RBBwwGoIMKi5yZWRoYXQuY29tggpyZWRoYXQuY29tMF8GCWCGSAGG+EIBDQRS
FlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNCREMzOTcwQkphbiAxMyAwMDowMDow
MCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAyMDIxIEdNVDBzBgNVHSAEbDBqMGgG
BFUdIAAwYDBeBggrBgEFBQcCAjBSGlAwQjBCRUIzQTA3RTQ3RTNFOTFDMjU2NTNC
REMzOTcwQkphbiAxMyAwMDowMDowMCAyMDIwIEdNVEFwciAxMyAxMjowMDowMCAy
MDIxIEdNVDANBgkqhkiG9w0BAQsFAAOCAQEAVGf8A39Sb1GrY107RjXgHkcIMjLS
TsntiI3aesYZl39CqRk2az+JM9b21LKFnCy+PRV0FBLHV7s37BvRRadl+R6gLopT
WAdFiT+VtPi5H7gWf+glHPKnnFrgxpCII1EkF6712p5yiN8am0TfoaI61RnsgcoR
a2//XULyavLN2gKfPQZvTXo9taXVH9r68uRojw/xNdUCC5GtdXeVkRlrGwdo8E8C
pfLUtxIBVezOVfRmGRWUtHcQpT/kKNiBT7XpSv+KtF5Rz9kLrHGnDmCn7YVUjAA6
WCprqs9n5ufx/pxHaUbRlyFBz/9kk1ZEA/aGV8LXAuuKtAPThNS/dHXnhQ==
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = *.redhat.com

issuer=C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GDEFR3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3850 bytes and written 483 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 077FF8BB7DB374422B09FB9C3640D72D1CDE5B3FE20C91342D9518B3AE9FB5B6
    Session-ID-ctx:
    Master-Key: DD37CEB3995FEBF02334406225A9B36B7B1B9C35150AB63ED26BE2203B9B62EDB9EE411800709A3E314299B4F847CA7F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1592227905
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Steve-Dillon commented 3 years ago

Sorry if i sound like a total Newb to all this but how do i copy the intercepting SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image to /etc/pki/ca-trust/source/anchors/. How can i access the SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image. Thanks in advance for any help.

terrayuku commented 3 years ago

Sorry if i sound like a total Newb to all this but how do i copy the intercepting SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image to /etc/pki/ca-trust/source/anchors/. How can i access the SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image. Thanks in advance for any help.

Can Someone please help with this, I am also experiencing the same issue, running mvn clean package -Dquarkus.container-image.build=true behind proxy.

Here is the full error I am getting

Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]

ambition-consulting commented 3 years ago

Inside Dockerfile, use ADD to copy into image, then RUN to execute required update commands. What exactly you need to do, depends on which image you work on.

Steve-Dillon notifications@github.com schrieb am Di., 9. Feb. 2021, 19:23:

Sorry if i sound like a total Newb to all this but how do i copy the intercepting SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image to /etc/pki/ca-trust/source/anchors/. How can i access the SSL PEM inside registry.access.redhat.com/ubi8/ubi:8.1 image. Thanks in advance for any help.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/quarkusio/quarkus/issues/9893#issuecomment-776143205, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAF3XQ5CNCMY3JL66IOMI3S6F4T3ANCNFSM4NZVXRCA .

joeebmw commented 3 years ago

Yeah would be great if there is a guide to the solution there many certs a long the way so knowing which one to do what with would be great. Everyone can do ADD and RUN that is not where the problem is...

quarkusio / quarkus