[
https://issues.apache.org/jira/browse/MESOS-5863?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jie Yu reassigned MESOS-5863:
-----------------------------
Assignee: Jie Yu
> Enabling SSL causes fetcher fail to fetch from HTTPS sites.
> -----------------------------------------------------------
>
> Key: MESOS-5863
> URL: https://issues.apache.org/jira/browse/MESOS-5863
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 0.27.3, 0.28.2, 1.0.0
> Reporter: Jie Yu
> Assignee: Jie Yu
>
> This is because curl (which fetcher relies on) also relies on some of the
> environment variables used by libprocess SSL support. For instance,
> `SSL_CERT_FILE`. If the operator sets `SSL_CERT_FILE` env var for Mesos
> agent, the fetcher will inherit this env var and cause curl to fail:
> {noformat}
> [centos@ip-10-10-0-205 ~]$
> SSL_CERT_FILE=/run/dcos/pki/tls/certs/mesos-slave.crt curl
> https://registry-1.docker.io:443/v2/library/alpine/manifests/latest
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> [centos@ip-10-10-0-205 ~]$ curl
> https://registry-1.docker.io:443/v2/library/alpine/manifests/latest
> {"errors":[{"code":"UNAUTHORIZED","message":"authentication
> required","detail":[{"Type":"repository","Name":"library/alpine","Action":"pull"}]}]}
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
