pip install fails on docker build
Question:
I am having a strange problem. I have following Dockerfile:
FROM openjdk:8-jre-alpine3.8
WORKDIR /app
RUN apk --no-cache add curl bash g++ postgresql-dev python3-dev
COPY requirements.txt /app
RUN pip3 install -r requirements.txt
...
I’m building it with command docker build -t mydocker .. It builds fine on other computers but fails on mine with following error:
Certificate did not match expected hostname:pypi.org. Certificate:{
'subject':((('organizationalUnitName',
'Domain Control Validated' ),
),
(('commonName',
'.fireonskull.com' ),
)),
'issuer':((('countryName',
'US' ),
),
(('stateOrProvinceName',
'Arizona' ),
),
(('localityName',
'Scottsdale' ),
),
(('organizationName',
'GoDaddy.com, Inc.' ),
),
(('organizationalUnitName',
'http://certs.godaddy.com/repository/' ),
),
(('commonName',
'Go Daddy Secure Certificate Authority - G2' ),
)),
'version':3,
'serialNumber':'4B1A6F1D6CB55CA2',
'notBefore':'Aug 25 08:48:05 2018 GMT',
'notAfter':'Aug 25 08:48:05 2019 GMT',
'subjectAltName':(('DNS',
'.fireonskull.com' ),
('DNS',
'fireonskull.com' )),
'OCSP': ('http://ocsp.godaddy.com/',
),
'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',
),
'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-860.crl',
)
}Retrying (Retry(total=4,
connect=None,
read=None,
redirect=None,
status=None)) after connection broken by 'SSLError(CertificateError("hostname 'pypi.org' doesn't match either of '.fireonskull.com',
'fireonskull.com'",),)': /simple/pandas/
Certificate did not match expected hostname: pypi.org. Certificate: {'subject': ((('organizationalUnitName', 'Domain Control Validated'),), (('commonName', '.fireonskull.com'),)), 'issuer': ((('countryName', 'US'),), (('stateOrProvinceName', 'Arizona'),), (('localityName', 'Scottsdale'),), (('organizationName', 'GoDaddy.com, Inc.'),), (('organizationalUnitName', 'http://certs.godaddy.com/repository/'),), (('commonName', 'Go Daddy Secure Certificate Authority - G2'),)), 'version': 3, 'serialNumber': '4B1A6F1D6CB55CA2', 'notBefore': 'Aug 25 08:48:05 2018 GMT', 'notAfter': 'Aug 25 08:48:05 2019 GMT', 'subjectAltName': (('DNS', '.fireonskull.com'), ('DNS', 'fireonskull.com')), 'OCSP': ('http://ocsp.godaddy.com/',), 'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',), 'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-860.crl',)} Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(CertificateError("hostname 'pypi.org' doesn't match either of '.fireonskull.com',
'fireonskull.com'",
),
)':/simple/pandas/
The error mentions the name fireonskull.com, which sounds familiar to me. I once had a SSL certificate for this domain on my computer.
But what does docker build has to do with files on my system. Also pip install works fine on the host OS. Please help!
Answers:
Given that you are running from an openjdk image, it does not have everything ptyhon needs, add this to your dockerfile
RUN apt-get update && apt-get install -y --no-install-recommends
python3.6
python3-pip
&&
apt-get clean &&
From the thing I see, you have a problem with the SSL check/verification.
Try to add this in pip install step:
pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org -r requirements.txt
A dirty quickfix could be to define what dns the container should use in the build command:
docker build --dns=1.1.1.1 -t mydocker .
But that does of course not fix the root cause. @kichik is on to something in his comment above. You need to debug how the name is resolved. I would prefer to do that from an interactive shell.
docker run -ti openjdk:8-jre-alpine3.8 sh
First checkout what dns server is used:
cat /etc/resolv.conf
I get nameserver 192.168.65.1, which is the host machine
Now install bind-tools to get dig and query pypi.org
apk add bind-tools
dig pypi.org
That should give you an answer that’s suppose to look like this:
; <<>> DiG 9.12.3 <<>> pypi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55237
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pypi.org. IN A
;; ANSWER SECTION:
pypi.org. 31 IN A 151.101.64.223
pypi.org. 31 IN A 151.101.0.223
pypi.org. 31 IN A 151.101.192.223
pypi.org. 31 IN A 151.101.128.223
;; Query time: 27 msec
;; SERVER: 192.168.65.1#53(192.168.65.1)
;; WHEN: Tue Feb 26 08:25:29 UTC 2019
;; MSG SIZE rcvd: 90
Most likely your answer will show you that the dns doesn’t resolve correctly. To get more info on how the domain is resolved use the +trace option for dig
dig +trace pypi.org
That should hopefully reveal what responds with the wrong address.
This was my first answer, leaving it here for future reference
Given that it works on your host OS, it sounds like you have a proxy setup in your docker configuration.
Open your docker preferences and go to the proxy tab to see.
It could also be in your ~/.docker/config.json. Something like this:
{
"proxies":
{
"default":
{
"httpProxy": "http://127.0.0.1:3001",
"httpsProxy": "http://127.0.0.1:3001",
"noProxy": "*.test.example.com,.example2.com"
}
}
}
I searched a lot but there doesn’t seem to be an answer for resolution of this error in docker desktop for Windows, Adding dns to docker.json resolved my issue.
Go to docker desktop -> Docker Engine
here try modifying docker.json
Before change
{
"builder": {
"gc": {
"defaultKeepStorage": "20GB",
"enabled": true
}
},
"experimental": false,
"features": {
"buildkit": false
}
}
After change
{
"builder": {
"gc": {
"defaultKeepStorage": "20GB",
"enabled": true
}
},
"experimental": false,
"features": {
"buildkit": false
},
"dns": [
"114.114.114.114",
"8.8.8.8"
]
}
Adding this dns to json file worked for me..
I am having a strange problem. I have following Dockerfile:
FROM openjdk:8-jre-alpine3.8
WORKDIR /app
RUN apk --no-cache add curl bash g++ postgresql-dev python3-dev
COPY requirements.txt /app
RUN pip3 install -r requirements.txt
...
I’m building it with command docker build -t mydocker .. It builds fine on other computers but fails on mine with following error:
Certificate did not match expected hostname:pypi.org. Certificate:{
'subject':((('organizationalUnitName',
'Domain Control Validated' ),
),
(('commonName',
'.fireonskull.com' ),
)),
'issuer':((('countryName',
'US' ),
),
(('stateOrProvinceName',
'Arizona' ),
),
(('localityName',
'Scottsdale' ),
),
(('organizationName',
'GoDaddy.com, Inc.' ),
),
(('organizationalUnitName',
'http://certs.godaddy.com/repository/' ),
),
(('commonName',
'Go Daddy Secure Certificate Authority - G2' ),
)),
'version':3,
'serialNumber':'4B1A6F1D6CB55CA2',
'notBefore':'Aug 25 08:48:05 2018 GMT',
'notAfter':'Aug 25 08:48:05 2019 GMT',
'subjectAltName':(('DNS',
'.fireonskull.com' ),
('DNS',
'fireonskull.com' )),
'OCSP': ('http://ocsp.godaddy.com/',
),
'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',
),
'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-860.crl',
)
}Retrying (Retry(total=4,
connect=None,
read=None,
redirect=None,
status=None)) after connection broken by 'SSLError(CertificateError("hostname 'pypi.org' doesn't match either of '.fireonskull.com',
'fireonskull.com'",),)': /simple/pandas/
Certificate did not match expected hostname: pypi.org. Certificate: {'subject': ((('organizationalUnitName', 'Domain Control Validated'),), (('commonName', '.fireonskull.com'),)), 'issuer': ((('countryName', 'US'),), (('stateOrProvinceName', 'Arizona'),), (('localityName', 'Scottsdale'),), (('organizationName', 'GoDaddy.com, Inc.'),), (('organizationalUnitName', 'http://certs.godaddy.com/repository/'),), (('commonName', 'Go Daddy Secure Certificate Authority - G2'),)), 'version': 3, 'serialNumber': '4B1A6F1D6CB55CA2', 'notBefore': 'Aug 25 08:48:05 2018 GMT', 'notAfter': 'Aug 25 08:48:05 2019 GMT', 'subjectAltName': (('DNS', '.fireonskull.com'), ('DNS', 'fireonskull.com')), 'OCSP': ('http://ocsp.godaddy.com/',), 'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',), 'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-860.crl',)} Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(CertificateError("hostname 'pypi.org' doesn't match either of '.fireonskull.com',
'fireonskull.com'",
),
)':/simple/pandas/
The error mentions the name fireonskull.com, which sounds familiar to me. I once had a SSL certificate for this domain on my computer.
But what does docker build has to do with files on my system. Also pip install works fine on the host OS. Please help!
Given that you are running from an openjdk image, it does not have everything ptyhon needs, add this to your dockerfile
RUN apt-get update && apt-get install -y --no-install-recommends
python3.6
python3-pip
&&
apt-get clean &&
From the thing I see, you have a problem with the SSL check/verification.
Try to add this in pip install step:
pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org -r requirements.txt
A dirty quickfix could be to define what dns the container should use in the build command:
docker build --dns=1.1.1.1 -t mydocker .
But that does of course not fix the root cause. @kichik is on to something in his comment above. You need to debug how the name is resolved. I would prefer to do that from an interactive shell.
docker run -ti openjdk:8-jre-alpine3.8 sh
First checkout what dns server is used:
cat /etc/resolv.conf
I get nameserver 192.168.65.1, which is the host machine
Now install bind-tools to get dig and query pypi.org
apk add bind-tools
dig pypi.org
That should give you an answer that’s suppose to look like this:
; <<>> DiG 9.12.3 <<>> pypi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55237
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pypi.org. IN A
;; ANSWER SECTION:
pypi.org. 31 IN A 151.101.64.223
pypi.org. 31 IN A 151.101.0.223
pypi.org. 31 IN A 151.101.192.223
pypi.org. 31 IN A 151.101.128.223
;; Query time: 27 msec
;; SERVER: 192.168.65.1#53(192.168.65.1)
;; WHEN: Tue Feb 26 08:25:29 UTC 2019
;; MSG SIZE rcvd: 90
Most likely your answer will show you that the dns doesn’t resolve correctly. To get more info on how the domain is resolved use the +trace option for dig
dig +trace pypi.org
That should hopefully reveal what responds with the wrong address.
This was my first answer, leaving it here for future reference
Given that it works on your host OS, it sounds like you have a proxy setup in your docker configuration.
Open your docker preferences and go to the proxy tab to see.
It could also be in your ~/.docker/config.json. Something like this:
{
"proxies":
{
"default":
{
"httpProxy": "http://127.0.0.1:3001",
"httpsProxy": "http://127.0.0.1:3001",
"noProxy": "*.test.example.com,.example2.com"
}
}
}
I searched a lot but there doesn’t seem to be an answer for resolution of this error in docker desktop for Windows, Adding dns to docker.json resolved my issue.
Go to docker desktop -> Docker Engine
here try modifying docker.json
Before change
{
"builder": {
"gc": {
"defaultKeepStorage": "20GB",
"enabled": true
}
},
"experimental": false,
"features": {
"buildkit": false
}
}
After change
{
"builder": {
"gc": {
"defaultKeepStorage": "20GB",
"enabled": true
}
},
"experimental": false,
"features": {
"buildkit": false
},
"dns": [
"114.114.114.114",
"8.8.8.8"
]
}
Adding this dns to json file worked for me..