[ https://issues.apache.org/jira/browse/MESOS-5863?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jie Yu reassigned MESOS-5863: ----------------------------- Assignee: Jie Yu > Enabling SSL causes fetcher fail to fetch from HTTPS sites. > ----------------------------------------------------------- > > Key: MESOS-5863 > URL: https://issues.apache.org/jira/browse/MESOS-5863 > Project: Mesos > Issue Type: Bug > Affects Versions: 0.27.3, 0.28.2, 1.0.0 > Reporter: Jie Yu > Assignee: Jie Yu > > This is because curl (which fetcher relies on) also relies on some of the > environment variables used by libprocess SSL support. For instance, > `SSL_CERT_FILE`. If the operator sets `SSL_CERT_FILE` env var for Mesos > agent, the fetcher will inherit this env var and cause curl to fail: > {noformat} > [centos@ip-10-10-0-205 ~]$ > SSL_CERT_FILE=/run/dcos/pki/tls/certs/mesos-slave.crt curl > https://registry-1.docker.io:443/v2/library/alpine/manifests/latest > curl: (60) SSL certificate problem: unable to get local issuer certificate > More details here: https://curl.haxx.se/docs/sslcerts.html > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > [centos@ip-10-10-0-205 ~]$ curl > https://registry-1.docker.io:443/v2/library/alpine/manifests/latest > {"errors":[{"code":"UNAUTHORIZED","message":"authentication > required","detail":[{"Type":"repository","Name":"library/alpine","Action":"pull"}]}]} > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)