So I run into an issue with Lando recently that is rather interesting:
When running lando composer install
, the command failed to fetch some packages
- Downloading symfony/polyfill-php72 (v1.27.0)
Failed to download drupal/core-project-message from dist: curl error 60 while downloading https://api.github.com/repos/drupal/core-project-message/zipball/5dfa0b75a057caf6542be67f61e7531c737db48c: SSL certificate problem: unable to get local issuer certificate
The interesting part is that running composer install
from the host (without lando) doesn’t yield any error, but this curl issue happens only when running in the container
Diagnose
The very first step is to diagnose and confirm the error. Troubleshooting composer can be done with the handy command composer diagnose
.
As we want to debug the Lando container, so run that command via Lando tooling: lando composer diagnose
Clearly, curl can not make any request because of a SSL issue.
To debug further, I try to run curl -i https://github.com
(also inside the container) to see more of the issue.
The error message is clearer with this check, a quick search for “curl: (60) SSL certificate problem: unable to get local issuer certificate” basically recommend the following steps to fix the curl issue:
- Download the certificate (a .pem or a .crt file)
- Configure curl (inside the container) to use this certificate
Another hint is the curl is using CAfile at /etc/ssl/certs/ca-certificates.crt
and all certificates can be found at /etc/ssl/certs
My case with Zscaler
In my case, we’re working inside a corporate network, via ZScaler, so all requests must passed by the VPN. One more detail is that running curl in my host machine doesn’t encounter any issue with the VPN, so it seems that the Zscaler certificate is misconfigured inside Lando container.
The solution is clear in this case:
- Get the Zscaler certificate
- Add that certificate into the container
Get the Zscaler certificate
The instruction in Lando page mentioned 2 ways to retrieve the certificate:
- Bother the Sysadmin asking for the certificate
- Extract it from your browser
The second option is much easier, but it’s not very clear on how to get the certificate. So here are the steps, work on Firefox only:
Then clicking on View Certificate, Firefox would show a list of certificates used for on the browser. There should have a Zscaler Root CA certificate. The PEM certificate can be found in the Miscellaneous section. Download it and rename it into ZscalerRootCA.crt (or another name of your choice)
It also worth mentioning here that we have to change extension of the downloaded certificate from .pem to .crt, otherwise, the update-ca-certificates
of Lando won’t work correctly.
Add that certificate into the container
Next we’ll add the certificate to the Appserver container in Lando (that’s where the lando composer run).
I place the ZscalerRootCA.pem in [project-root]/.lando/
, and update the .lando.yml
as:
services:
appserver:
build_as_root:
- cp /app/.lando/ZscalerRootCA.crt /usr/local/share/ca-certificates/
- chmod 644 /usr/local/share/ca-certificates/ZscalerRootCA.crt
- update-ca-certificates
The update-ca-certificates
command basically appends the new certificate into /etc/ssl/certs/ca-certificates.crt
of the container, and makes sure it’s configured correctly.
The result
After updating .lando.yml
, a Lando rebuild is required to apply the new config. After the rebuild, curl and composer should be back to normal.
Don’t forget to ignore the .crt file from your git repo!