I have this small Dockerfile
FROM alpine:3.3
RUN apk --update add python
CMD ["python", "-c", "import urllib2; response = urllib2.urlopen('https://www.python.org')"]
Building it with docker build -t alpine-py/01 . and then running it with docker run -it --rm alpine-py/01 creates the following output
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1197, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
Yesterday I got bitten by the recent OpenSSL 1.0.2g release, which caused py-cryptograpy to not compile. Luckily the guys from py-cryptography released a new version on PyPI a couple of hours later. The issue was that a function in OpenSSL got a new signature.
Could this be related or am I missing something?
You need to install ca-certificates to be able to validate signed certs by public CAs:
FROM alpine:3.3
RUN apk --no-cache add python ca-certificates
CMD ["python", "-c", "import urllib2; response = urllib2.urlopen('https://www.python.org')"]
You will need to upgrade Alpine as libssl needs to be upgraded with a patch
FROM alpine:3.3
RUN apk -U upgrade && \
apk -U add python ca-certificates && \
update-ca-certificates
CMD ["python", "-c", "import urllib2; response = urllib2.urlopen('https://www.python.org')"]
apk -U upgrade will upgrade these:
- libcrypto1.0 (1.0.2e-r0 -> 1.0.2g-r0)
- libssl1.0 (1.0.2e-r0 -> 1.0.2g-r0)
来源:https://stackoverflow.com/questions/35762510/alpine-3-3-python-2-7-11-urllib2-causing-ssl-certificate-verify-failed