Hi Reco, >> >> curl: (60) SSL certificate problem: unable to get local issuer certificate >> >> >> >> Does that mean a TLS library does not feature all required protocols on >> >> armhf? >> > >> > TLS library that curl uses (openssl) is perfectly fine, but it cannot >> > validate any certificate unless you provide it with root CA >> > certificates. >> > So it likely means you haven't installed "ca-certificates" package. >> >> This is what it looks like. But actually I installed ca-certificates. > > Ok. Can you run tcpdump while you're running curl? > Specifically, > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443
I tried to dump from within the running container but failed. # tcpdump -s0 -pnni any -w /tmp/curl-certificate-problem.pcap tcp port 443 Unsupported setsockopt level=263 optname=8 getsockopt level=263 optname=11 not yet supported tcpdump: WARNING: can't get TPACKET_V3 header len on packet socket: Operation not supported Warning: Kernel filter failed: Bad file descriptor Unsupported setsockopt level=1 optname=27 tcpdump: can't remove kernel filter: Protocol not available The container was started as follows on an amd64 host running qemu-arm-static: $ docker run -it --rm toertel/test-tls-https-broken:arm32v7-buster-latest I gave it a try with a stripped down command and it did not work either. # tcpdump -w /tmp/curl-certificate-problem.pcap port 443 Unknown host QEMU_IFLA type: 50 Unknown host QEMU_IFLA type: 51 Unknown host QEMU_IFLA type: 50 Unknown host QEMU_IFLA type: 51 Unsupported ioctl: cmd=0x8946 Unsupported ioctl: cmd=0x8946 Unsupported ioctl: cmd=0x8946 Unsupported ioctl: cmd=0x8946 Unsupported ioctl: cmd=0x8946 Unsupported ioctl: cmd=0x8946 Unsupported setsockopt level=263 optname=8 getsockopt level=263 optname=11 not yet supported tcpdump: Can't open netlink socket 96:Protocol family not supported Thanks for your help, Mark