When working with Docker in WSL (Windows Subsystem for Linux), you might encounter SSL/TLS certificate verification failures that don't occur on your Windows host. The error typically appears when trying to access HTTPS resources:
curl -vfsSL https://apt.releases.hashicorp.com/gpg
curl: (60) SSL certificate problem: unable to get local issuer certificateThis issue stems from certificate chain validation failures within your WSL distribution. The problem occurs because:
- WSL maintains its own certificate store separate from Windows
- The CA certificates might be outdated or incomplete
- Corporate proxies or firewalls might intercept and replace certificates
- Time synchronization issues between Windows and WSL
1. Update CA Certificates in WSL
First, ensure your WSL distribution has up-to-date certificates:
sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs2. Manual Certificate Installation
For specific services like HashiCorp's repository, you can manually install their root certificate:
sudo curl -o /usr/local/share/ca-certificates/AmazonRootCA1.crt \
https://www.amazontrust.com/repository/AmazonRootCA1.pem
sudo update-ca-certificates3. Verify Time Synchronization
Certificate validation depends on accurate system time. Check and sync time in WSL:
sudo apt install ntpdate
sudo ntpdate pool.ntp.org
date4. Debugging with openssl
To better diagnose the issue, use openssl directly:
openssl s_client -showcerts -connect apt.releases.hashicorp.com:443 \
-CAfile /etc/ssl/certs/ca-certificates.crtIn corporate environments, additional steps might be necessary:
# Export corporate certificates from Windows
certmgr.msc # Export relevant certificates as Base64-encoded X.509 (.cer)
# Import into WSL
sudo cp company_root.cer /usr/local/share/ca-certificates/
sudo update-ca-certificatesFor development purposes only, you can disable certificate verification (not recommended for production):
curl -k https://apt.releases.hashicorp.com/gpg # Insecure!
# Or in Docker builds:
ENV CURL_INSECURE=1If the issue occurs in Docker builds, you may need to:
# In your Dockerfile
RUN apt-get update && apt-get install -y ca-certificates
# Or when running containers
docker run -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt your_imageRemember that WSL2 has its own virtualized network stack, so corporate certificate injection might not work the same way as on the Windows host.
When working with WSL 2 (Ubuntu 20.04) and Docker Desktop on Windows Enterprise systems, developers frequently encounter SSL/TLS verification failures during curl operations. The specific error manifests as:
curl: (60) SSL certificate problem: unable to get local issuer certificateThis occurs because the Linux subsystem cannot properly validate server certificates against the Windows certificate store.
WSL maintains its own CA certificate store separate from Windows. The verification fails because:
- WSL's default CA bundle (
/etc/ssl/certs/ca-certificates.crt) may be incomplete - Enterprise proxies or security software might intercept traffic with custom certs
- The Windows host's trusted certificates aren't automatically synced to WSL
1. Update CA Certificates in WSL
First refresh your certificate store:
sudo apt update && sudo apt install --reinstall ca-certificates
sudo update-ca-certificates --fresh
2. Manual Certificate Installation
For enterprise environments with custom CA:
# Extract your company's root CA from Windows
# Then convert and install in WSL:
openssl x509 -inform DER -in company_root.cer -out /usr/local/share/ca-certificates/company_root.crt
sudo update-ca-certificates
3. WSL-Specific Certificate Sync
Create a startup script to sync Windows certs:
#!/bin/bash
# /etc/profile.d/sync_win_certs.sh
WIN_CERTS_DIR="/mnt/c/ProgramData/Microsoft/Crypto/RSA/MachineKeys"
WSL_CERTS_DIR="/usr/local/share/ca-certificates"
find "$WIN_CERTS_DIR" -name "*.cer" -exec cp {} "$WSL_CERTS_DIR" \;
update-ca-certificates
4. Docker-Specific Configuration
For Docker containers inheriting this issue:
# Dockerfile solution
RUN apt-get update && apt-get install -y ca-certificates
COPY ./company_certs/*.crt /usr/local/share/ca-certificates/
RUN update-ca-certificatesTo identify exactly which cert is missing:
openssl s_client -showcerts -connect apt.releases.hashicorp.com:443 -servername apt.releases.hashicorp.comCompare the output with your local certificate store using:
openssl x509 -noout -issuer -in /etc/ssl/certs/ca-certificates.crt | grep -i "issuer"When immediate resolution isn't possible:
- Use
curl -k(insecure) for temporary testing only - Set
export CURL_CA_BUNDLE=/path/to/custom/ca-bundle.crt - Configure Docker to use host network:
--network host