0

I'm running ddev under wsl2. I'm behind the zscaler proxy. I was able to copy the zscaler cert to ubuntu "/usr/local/share/ca-certificates" and ran "sudo update-ca-certificates". After that i was able to install homebrew and ddev. However, when i created the drupal 9 site and use the command "ddev composer create "drupal/recommended-project" --no-install", it gave me "ubuntu curl: (60) ssl certificate problem: self signed certificate in certificate chain". I also tried to copy the zscaler cert into the web container but still got the same issue. How do I circumvent this issue?

rfay
  • 9,963
  • 1
  • 47
  • 89
kevin
  • 1
  • 1

2 Answers2

0

This is a problem that you and your IT department will have to solve. I imagine you have not just a proxy but also the VPN you're using is likely doing deep packet inspection and has a replacement CA for the trusted CA that the rest of the internet uses.

If you don't have a VPN, but only a proxy, then you need to properly configure docker for the proxy, see https://github.com/drud/ddev-contrib/tree/master/recipes/proxy - but since you're getting untrusted certs, it looks to me like there's more going on than just a proxy.

If your IT department can provide you with a replacement CA crt you can put it into .ddev/web-build and add a .ddev/web-build/Dockerfile like this:

ARG BASE_IMAGE
FROM $BASE_IMAGE
COPY <yourcert>*.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh
rfay
  • 9,963
  • 1
  • 47
  • 89
  • I already did that but it is not working. – kevin Mar 24 '22 at 07:56
  • I imagine you'll be fine if you on a normal network. If it's possible to do it, connect your machine to an ordinary network with no proxy or VPN and see if things are working. Then work back from there. – rfay Mar 24 '22 at 18:56
  • I was able to do it fine on my personal pc. I have no issue with setting ddev on my personal pc. – kevin Mar 24 '22 at 20:37
  • ddev on my corporate network was another story. Initially, I was not able to install homebrew since it failed the curl ssl, but i was able to figure it out and installed the zscaler proxy cert in ubuntu. After that i was able to install homebrew then ddev. But now the next step is using ddev to set up drupal 9 project. It failed curl ssl again since the command "ddev composer create ...." curl to github from the web container to grab the drupal template. So i tried what you mentioned above regarding the Dockerfile where i replaced the with the zscaler cert, but still failed. – kevin Mar 24 '22 at 20:49
  • 1
    I went back to my CA in Windows and found another cert called "certadmin". I was able to copy this cert to the web-build folder and update the Dockerfile and now everything is working. – kevin Mar 24 '22 at 21:38
  • Thanks, please add an answer that fully describes your solution! – rfay Mar 25 '22 at 14:28
0

  1. Export proxy zscaler and certadmin certificates from Windows Trusted CA to .CER format in my network environment.

  2. Use OpenSSl and convert them from .CER to .CRT format.

    • openssl x509 -inform DER -in zscaler.cer -out zscaler.crt
    • openssl x509 -inform DER -in certadmin.cer -out certadmin.crt

  3. Copy these files to /usr/local/share/ca-certificates folder in ubuntu.

    sudo cp /mnt/c/certificates/zscaler.crt /mnt/c/certificates/certadmin.crt /usr/local/share/ca-certificates

  4. Run

    sudo update-ca-certificates

  5. Follow instructions on DDEV documentation site to install Homebrew, gcc, ddev, and xdg-utils.

  6. Again follow instructions on DDEV documentation site to setup drupal 9 project.

  7. Before running the step: ddev start, copy the certs in step #3 to my sampleprojectfolder/.ddev/web-build folder.

    cd /home/kevin/my-drupal9-site/.ddev/web-build && sudo cp /mnt/c/certificates/zscaler.crt /mnt/c/certificates/certadmin.crt .

  8. While cd into web-build folder, copy the sample docker file from it and name it "Dockerfile".

    cp Dockerfile.example Dockerfile

  9. Modify the content of the Dockerfile nano Dockerfile as follow so that when ddev creates the containers it pulls in the certificates into the web container as well.

    ARG BASE_IMAGE
FROM $BASE_IMAGE
COPY *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh

  10. Run

    ddev start

  11. Follow the rest of the steps to create the drupal 9 project from the DDEV Documentation.

kevin
  • 1
  • 1