docker容器中terraform init出错--x509:由未知授权机构签署的证书

我有

我明白了

我还安装了以下证书：

$ docker-compose run terraform curl --version
curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.40.0
Release-Date: 2019-11-06
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

这里是curl-v的输出

$ docker-compose run terraform ls -lR /etc/ssl

$docker compose运行--入口点'curl-v--不安全https://registry.terraform.io/.well-known/terraform.json“地形
*正在尝试151.101.190.49:443。。。
*TCP_节点集
*已连接到registry.terraform.io（151.101.190.49）端口443（#0）
*阿尔卑斯山，提供h2
*ALPN，提供http/1.1
*已成功设置证书验证位置：
*CAfile:/etc/ssl/certs/ca-certificates.crt
卡帕斯：没有
*TLSv1.3（输出），TLS握手，客户端问候（1）：
*TLSv1.3（IN）、TLS握手、服务器hello（2）：
*TLSv1.2（IN），TLS握手，证书（11）：
*TLSv1.2（IN）、TLS握手、服务器密钥交换（12）：
*TLSv1.2（IN），TLS握手，服务器完成（14）：
*TLSv1.2（输出）、TLS握手、客户端密钥交换（16）：
*TLSv1.2（OUT），TLS更改密码，更改密码规范（1）：
*TLSv1.2（输出），TLS握手，完成（20）：
*TLSv1.2（IN），TLS握手，完成（20）：
*使用TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256的SSL连接
*ALPN，服务器接受使用h2
*服务器证书：
*主题：C=美国；ST=加利福尼亚州；L=旧金山；O=Fastly公司。；CN=q2.shared.global.fastly.net
*开始日期：4月1日14:48:12格林尼治标准时间2020
*过期日期：8月29日17:17:53格林尼治标准时间2020
*发行人：C=美国；ST=CA；O=paloalto网络；OU=它；CN=decrypt.paloaltonnetworks.com
*SSL证书验证结果：证书链（19）中的自签名证书，仍在继续。
*使用HTTP2，服务器支持多用途
*连接状态已更改（HTTP/2已确认）
*升级后正在将流缓冲区中的HTTP/2数据复制到连接缓冲区：len=0
*使用流ID:1（易处理0x55cce9444220）
>GET/.well-known/terraform.json HTTP/2
>主机：registry.terraform.io
>用户代理：curl/7.67.0
>接受：*/*
>
*连接状态已更改（最大并发流==100）！

安装ca证书包后运行

更新ca证书。Docker层缓存可能会阻止它重新运行安装步骤，CA证书可能已经过期。
这并没有解决问题。运行
docker compose-run terraform curl-v——不安全时，输出是什么https://registry.terraform.io/.well-known/terraform.json
？更新的原始帖子链中有一个自签名证书可能会导致问题，但似乎不太可能。Terraform有一个官方docker映像可能会更好，或者您可能希望删除本地映像并尝试重建。更新docker文件后是否强制docker compose重建？相同问题。当我改变我的IP（使用VPN）时，它会好一段时间。
$ docker-compose run terraform /terraform init
2020/03/29 08:25:36 [INFO] Terraform version: 0.12.9
2020/03/29 08:25:36 [INFO] Go runtime version: go1.12.9
2020/03/29 08:25:36 [INFO] CLI args: []string{"/terraform", "init"}
2020/03/29 08:25:36 [DEBUG] Attempting to open CLI config file: /.terraformrc
2020/03/29 08:25:36 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2020/03/29 08:25:36 [INFO] CLI command args: []string{"init"}
2020/03/29 08:25:36 [ERR] Checkpoint error: mkdir /.terraform.d: permission denied

Initializing the backend...
2020/03/29 08:25:36 [TRACE] Meta.Backend: no config given or present on disk, so returning nil config
2020/03/29 08:25:36 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory
2020/03/29 08:25:36 [DEBUG] New state was assigned lineage "cff52927-0e9b-8ef4-8aeb-2b176dbc40a6"
2020/03/29 08:25:36 [TRACE] Meta.Backend: using default local state only (no backend configuration, and no existing initialized backend)
2020/03/29 08:25:36 [TRACE] Meta.Backend: instantiated backend of type <nil>
2020/03/29 08:25:36 [DEBUG] checking for provider in "."
2020/03/29 08:25:36 [DEBUG] checking for provider in "/"
2020/03/29 08:25:36 [DEBUG] checking for provisioner in "."
2020/03/29 08:25:36 [DEBUG] checking for provisioner in "/"
2020/03/29 08:25:36 [INFO] Failed to read plugin lock file .terraform/plugins/linux_amd64/lock.json: open .terraform/plugins/linux_amd64/lock.json: no such file or directory
2020/03/29 08:25:36 [TRACE] Meta.Backend: backend <nil> does not support operations, so wrapping it in a local backend
2020/03/29 08:25:36 [TRACE] backend/local: state manager for workspace "default" will:
 - read initial snapshot from terraform.tfstate
 - write new snapshots to terraform.tfstate
 - create any backup at terraform.tfstate.backup
2020/03/29 08:25:36 [TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate
2020/03/29 08:25:36 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay
2020/03/29 08:25:36 [TRACE] statemgr.Filesystem: read nil snapshot
2020/03/29 08:25:36 [DEBUG] checking for provider in "."
2020/03/29 08:25:36 [DEBUG] checking for provider in "/"
2020/03/29 08:25:36 [DEBUG] plugin requirements: "aws"=""
2020/03/29 08:25:36 [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
2020/03/29 08:25:36 [TRACE] HTTP client GET request to https://registry.terraform.io/.well-known/terraform.json

Initializing provider plugins...
- Checking for available provider plugins...
2020/03/29 08:25:36 [DEBUG] Failed to request discovery document: Get https://registry.terraform.io/.well-known/terraform.json: x509: certificate signed by unknown authority

Registry service unreachable.

This may indicate a network issue, or an issue with the requested Terraform Registry.


Error: registry service is unreachable, check https://status.hashicorp.com/ for status updates

$ docker-compose run terraform curl --version
curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.40.0
Release-Date: 2019-11-06
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

$ docker-compose run terraform ls -lR /etc/ssl


$ docker-compose run --entrypoint 'curl -v --insecure https://registry.terraform.io/.well-known/terraform.json' terraform
*   Trying 151.101.190.49:443...
* TCP_NODELAY set
* Connected to registry.terraform.io (151.101.190.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=q2.shared.global.fastly.net
*  start date: Apr  1 14:48:12 2020 GMT
*  expire date: Aug 29 17:17:53 2020 GMT
*  issuer: C=US; ST=CA; O=paloalto networks; OU=IT; CN=decrypt.paloaltonetworks.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cce9444220)
> GET /.well-known/terraform.json HTTP/2
> Host: registry.terraform.io
> user-agent: curl/7.67.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: Cowboy
< cache-control: stale-if-error=31536000, public, max-age=3600
< content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://cdn.segment.com https://www.googletagmanager.com https://a.optnmstr.com; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://p.typekit.net https://use.typekit.net; img-src 'self' data: https: https://www.google-analytics.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://fonts.gstatic.com https://use.typekit.net; connect-src 'self' https://www.google-analytics.com https://api.segment.io https://sentry.io https://api.omappapi.com https://api.opmnstr.com https://api.optmnstr.com
< content-type: application/json
< feature-policy:
< last-modified: Fri, 10 Apr 2020 08:49:04 GMT
< referrer-policy: no-referrer-when-downgrade
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-xss-protection: 1; mode=block
< via: 1.1 vegur
< via: 1.1 varnish
< accept-ranges: bytes
< date: Sat, 11 Apr 2020 06:07:54 GMT
< via: 1.1 varnish
< age: 63
< x-served-by: cache-dca17758-DCA, cache-pao17436-PAO
< x-cache: HIT, HIT
< x-cache-hits: 1, 1
< vary: Accept-Encoding
< content-length: 62
<
{"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}
* Connection #0 to host registry.terraform.io left intact