Home > Software engineering >  Installing certs into a Jupyter notebook docker image
Installing certs into a Jupyter notebook docker image

Time:10-28

At work we have a bunch of internal servers that use self-signed certificates. I'm trying to install these certs into a Jupyter notebook image so it can access the servers, but for some reason they're not being found. Here is a minimal Dockerfile:

FROM jupyter/datascience-notebook:notebook-6.4.2

USER root

RUN echo 'Acquire::http::proxy "http://proxy.internal.server";' >> /etc/apt/apt.conf.d/99proxy
ENV http_proxy http://proxy.internal.server
ENV https_proxy http://proxy.internal.server
ENV NO_PROXY internal.server

COPY certificates/* /usr/local/share/ca-certificates/
RUN update-ca-certificates

After doing this, when I try to copy a file, eg with curl -O https://internal.server/file, it fails with a message that the cert is invalid. I have to add the -k flag to turn SSL verification off for it to succeed.

If I follow the same procedure but starting from a vanilla Ubuntu image, then there's no problem. (I do have to install ca-certificates and curl.)

Is there something about the Jupyter image that is messing with the cert store? What is the correct procedure for installing certs?

CodePudding user response:

The reason is that the Jupyter images use conda and conda is shipped with openssl and it's own CA certificates through the ca-certificates package. You can see it in the image

python -c "import ssl; print(ssl.get_default_verify_paths())"
# DefaultVerifyPaths(cafile='/opt/conda/ssl/cert.pem', capath=None,
# openssl_cafile_env='SSL_CERT_FILE',
# openssl_cafile='/opt/conda/ssl/cert.pem',
# openssl_capath_env='SSL_CERT_DIR', 
# openssl_capath='/opt/conda/ssl/certs')

I have not the ideal solution to use custom CA certificates. You can try playing with the various environment variables.

export SSL_CERT_DIR=/etc/ssl/certs
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

As last resort you can try to

  • Add the certificate to the conda ca file
openssl x509 -in /path/to/custom/ca.crt -outform PEM >> $CONDA_PREFIX/ssl/cacert.pem
  • Overwrite the conda CA file with a symlink to the system location.

However, those fixes will break if the ca-certificate package is updated.

Page link:https//www.codepudding.com/Softwareengineering/169427.html

Prev:docker can't connect to docker daemon but socket is created
Next:Automate docker pull commit and update kubernetes
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding