Reputation: 3112
pip install fails on docker build
I am having a strange problem. I have following Dockerfile:
FROM openjdk:8-jre-alpine3.8
WORKDIR /app
RUN apk --no-cache add curl bash g++ postgresql-dev python3-dev
COPY requirements.txt /app
RUN pip3 install -r requirements.txt
...
I'm building it with command docker build -t mydocker .. It builds fine on other computers but fails on mine with following error:
Certificate did not match expected hostname:pypi.org. Certificate:{
'subject':((('organizationalUnitName',
'Domain Control Validated' ),
),
(('commonName',
'.fireonskull.com' ),
)),
'issuer':((('countryName',
'US' ),
),
(('stateOrProvinceName',
'Arizona' ),
),
(('localityName',
'Scottsdale' ),
),
(('organizationName',
'GoDaddy.com, Inc.' ),
),
(('organizationalUnitName',
'http://certs.godaddy.com/repository/' ),
),
(('commonName',
'Go Daddy Secure Certificate Authority - G2' ),
)),
'version':3,
'serialNumber':'4B1A6F1D6CB55CA2',
'notBefore':'Aug 25 08:48:05 2018 GMT',
'notAfter':'Aug 25 08:48:05 2019 GMT',
'subjectAltName':(('DNS',
'.fireonskull.com' ),
('DNS',
'fireonskull.com' )),
'OCSP': ('http://ocsp.godaddy.com/',
),
'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',
),
'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-860.crl',
)
}Retrying (Retry(total=4,
connect=None,
read=None,
redirect=None,
status=None)) after connection broken by 'SSLError(CertificateError("hostname 'pypi.org' doesn't match either of '.fireonskull.com',
'fireonskull.com'",),)': /simple/pandas/
Certificate did not match expected hostname: pypi.org. Certificate: {'subject': ((('organizationalUnitName', 'Domain Control Validated'),), (('commonName', '.fireonskull.com'),)), 'issuer': ((('countryName', 'US'),), (('stateOrProvinceName', 'Arizona'),), (('localityName', 'Scottsdale'),), (('organizationName', 'GoDaddy.com, Inc.'),), (('organizationalUnitName', 'http://certs.godaddy.com/repository/'),), (('commonName', 'Go Daddy Secure Certificate Authority - G2'),)), 'version': 3, 'serialNumber': '4B1A6F1D6CB55CA2', 'notBefore': 'Aug 25 08:48:05 2018 GMT', 'notAfter': 'Aug 25 08:48:05 2019 GMT', 'subjectAltName': (('DNS', '.fireonskull.com'), ('DNS', 'fireonskull.com')), 'OCSP': ('http://ocsp.godaddy.com/',), 'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',), 'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-860.crl',)} Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(CertificateError("hostname 'pypi.org' doesn't match either of '.fireonskull.com',
'fireonskull.com'",
),
)':/simple/pandas/
The error mentions the name fireonskull.com, which sounds familiar to me. I once had a SSL certificate for this domain on my computer.
But what does docker build has to do with files on my system. Also pip install works fine on the host OS. Please help!
Upvotes: 0
Views: 13051
Answers (3)
Reputation: 688
A dirty quickfix could be to define what dns the container should use in the build command:
docker build --dns=1.1.1.1 -t mydocker .
But that does of course not fix the root cause. @kichik is on to something in his comment above. You need to debug how the name is resolved. I would prefer to do that from an interactive shell.
docker run -ti openjdk:8-jre-alpine3.8 sh
First checkout what dns server is used:
cat /etc/resolv.conf
I get nameserver 192.168.65.1, which is the host machine
Now install bind-tools to get dig and query pypi.org
apk add bind-tools
dig pypi.org
That should give you an answer that's suppose to look like this:
; <<>> DiG 9.12.3 <<>> pypi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55237
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pypi.org. IN A
;; ANSWER SECTION:
pypi.org. 31 IN A 151.101.64.223
pypi.org. 31 IN A 151.101.0.223
pypi.org. 31 IN A 151.101.192.223
pypi.org. 31 IN A 151.101.128.223
;; Query time: 27 msec
;; SERVER: 192.168.65.1#53(192.168.65.1)
;; WHEN: Tue Feb 26 08:25:29 UTC 2019
;; MSG SIZE rcvd: 90
Most likely your answer will show you that the dns doesn't resolve correctly. To get more info on how the domain is resolved use the +trace option for dig
dig +trace pypi.org
That should hopefully reveal what responds with the wrong address.
This was my first answer, leaving it here for future reference
Given that it works on your host OS, it sounds like you have a proxy setup in your docker configuration.
Open your docker preferences and go to the proxy tab to see.
It could also be in your ~/.docker/config.json. Something like this:
{
"proxies":
{
"default":
{
"httpProxy": "http://127.0.0.1:3001",
"httpsProxy": "http://127.0.0.1:3001",
"noProxy": "*.test.example.com,.example2.com"
}
}
}
Source: https://docs.docker.com/network/proxy/
Upvotes: 4
Reputation: 129
From the thing I see, you have a problem with the SSL check/verification. Try to add this in pip install step:
pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org -r requirements.txt
Upvotes: 1
Reputation: 764
Given that you are running from an openjdk image, it does not have everything ptyhon needs, add this to your dockerfile
RUN apt-get update && apt-get install -y --no-install-recommends \
python3.6 \
python3-pip \
&& \
apt-get clean && \
Upvotes: -4
Related Questions
- Pip install returning a ValueError
- CERTIFICATE_VERIFY_FAILED on pip install on Docker
- Getting self signed certificate error with pip install within Docker, but only for certain packages
- Pip upgrade cannot install packages
- Pip Install SSL Issue
- Pip install fails: SSL required
- Why am I getting SSL issues inside docker with pip
- Installation of python module using `pip` during `docker build` fails
- ssl error why installing with pip
- Installing with pip using custom compiled Python can't use SSL