Can't access certificates from host.

[liquidcms]

We have been struggling with an issue which appears to be host/container related to certificate access. Wondering if anyone has come across this:

• we are using the module Entity Print to create PDFs of node pages
• on our Kube envs the PDFs create correctly but images are not included (and i suspect CSS files as well)
• running this on local set ups does work as well as VM based servers.
• Entity Print uses the PHP lib : Dompdf for creating PDF files.
• Dompdf uses curl to grab the images (and CSS files) and then convert them into the PDF file.

Using Lens to access the pod to run curl directly to pull an image file and i get this error:

drupal-wxt-test-68dfd8f9bd-bxdbx:/var/www/html$ curl https://our-site.gc.ca/sites/default/files/inline-images/IMG-20211119-WA0002.jpg
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I have seen posts suggesting the host does not know the public domain name and either setting $settings['file_public_path_url'] or adding entry to hosts file might help; but no luck. Also, this command does work as expected:
wget --no-check-certificate https://our-site.ssc-spc.gc.ca/sites/default/files/inline-images/IMG-20211119-WA0002.jpg -O /tmp/test45.jpg

[smulvih2]

@liquidcms make sure that your container has the CA certificates installed. In most Linux-based containers, you can do this by installing the ca-certificates package. Try this command inside the container:

apk add --no-cache ca-certificates

[liquidcms]

Hey Steve, thanks for that.. but still no luck. The same curl but with --verbose:

*   Trying X.X.X.X:443...
* Connected to abc.com (X.X.X.X) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[smulvih2]

After installing CA certificates, verify that the CA certificate bundle exists and is accessible:

ls -l /etc/ssl/certs/ca-certificates.crt

Could also be due to missing or outdated CA certificates. Ensure that the CA certificates are up-to-date:

update-ca-certificates --fresh

[olstjos]

deleted previous patches, getting the heavy artillery here, going to get xdebug on it

[olstjos]

XDebug helped out here.

Cooked up a patch.
dompdf_change_local_http_uri_to_a_file.patch.txt

[olstjos]

My latest patch helps when using docker containers retrieving local images https://github.com/user-attachments/files/17000656/dompdf_change_local_http_uri_to_a_file.patch.txt however the patch causes a regression with external images. Should be able to improve it but will need some time. It's not good enough yet. XDebug helps, get the heavy artillery out.

[milos-ws]

My latest patch helps when using docker containers retrieving local images https://github.com/user-attachments/files/17000656/dompdf_change_local_http_uri_to_a_file.patch.txt however the patch causes a regression with external images. Should be able to improve it but will need some time. It's not good enough yet. XDebug helps, get the heavy artillery out.

I can confirm that this resolves the issue.