I have a Linux-based Docker container, where if I do:
curl https://google.com
...then I get an error:
curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html
The same happens for any URL - it's not Google that's at fault.
The link referenced above suggests various solutions, none of which seem appropriate apart from perhaps the last one, which suggests updating the certificate store. But there are no instructions on how to do that (or at least, none that make sense to me).
Is that the right thing to do, and if so how?
UPDATE: as requested, here's the result of:
openssl s_client -showcerts -connect www.google.com:443 CONNECTED(00000003) depth=3 DC = com, DC = forestroot, CN = SHA256RootCA verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com i:/CN=ssl-decrypt -----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgIIXIk3p8xOX/kwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE AxMLc3NsLWRlY3J5cHQwHhcNMTgxMjE5MDgxNzAwWhcNMTkwMzEzMDgxNzAwWjBo ... tq0VAGIoj4+YhO6bktTq3alCRoLstJuuxjVdb1wRkH4YRi0I6ZAB1Cw+M8Lg+2eQ KuEo -----END CERTIFICATE----- 1 s:/CN=ssl-decrypt i:/DC=com/DC=bgs/CN=SHA256IssueCA -----BEGIN CERTIFICATE----- MIIGzDCCBLSgAwIBAgITEQAADvB9T7mSaacwDQABAAAO8DANBgkqhkiG9w0BAQsF ADBCMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDYmdzMRYw ... 1z9f/nkj2XTRyGeACoy0qRd5uXJHp1iGM27l3RFDR9OjrfPV56pOBUYWAlc9Nn+1 Vr3qUZrcCkROrmYisVF4jg== -----END CERTIFICATE----- 2 s:/DC=com/DC=MyCompanyServer/CN=SHA256IssueCA i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA -----BEGIN CERTIFICATE----- MIIH4zCCBcugAwIBAgITOQAAAAOa4wv9nnK0uQAAAAAAAzANBgkqhkiG9w0BAQsF ADBIMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0 ... IomErcbcymIWBmN75PVMsk9EMyqDP394jG8+IOK+lVUVX4pxzhdd7eYbqTAwDE1X bNWcZZkt/w== -----END CERTIFICATE----- 3 s:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA -----BEGIN CERTIFICATE----- MIIFgzCCA2ugAwIBAgIQULxmYXGJ1aFIlIyCHA4NIzANBgkqhkiG9w0BAQsFADBI MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0cm9v ... jQBLY0/KIjHywv66GhtVWpexgQcXrLxQP2VHW7eXpsylvwkNU5XNQYzHTB7u+w5C VunfRLt/7mVWyURcwkOre38tVSByKR4= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com issuer=/CN=ssl-decrypt --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 6556 bytes and written 302 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 723D9976F985887CA5F256EE3C2E7B44B9C98A6B440AAF4E19564AE101F78D00 Session-ID-ctx: Master-Key: C3D8759A753C1D269FF9C00854E59B8C10ABC1E94AFE9F0166486A649FE295ACE1AF5E5BEDB0129E557E781BC860D2FA PSK identity: None PSK identity hint: None SRP username: None Start Time: 1548690163 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: yes --- read:errno=0
What I gather from this is that there's certificate in this chain belonging to the company I'm working for (which I've renamed MyCompanyServer), and I imagine that's the issue.
Am I right in thinking that I need to install some sort of key for that certificate? This is all greek to me, so apologies for the newbie questions.