首页 新闻 会员 周边 捐助

docker容器内访问https问题,curl: (60) SSL certificate problem: self signed certificate

0
悬赏园豆:40 [已解决问题] 解决于 2019-12-06 15:02

ubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题

问题:

root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com  //1.宿主机下正常访问
<meta http-equiv="refresh" content="1;URL=index.html">
root@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash
root@1e398e2637b5:/app# curl https://www.ygdy8.com  //2.容器内报证书签名问题
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
...
root@1e398e2637b5:/app# curl https://www.baidu.com   //3.容器内访问其它https站点正常
<!DOCTYPE html><!--STATUS OK--><html>...</html>
root@1e398e2637b5:/app#

期望:

期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果

 

自己尝试过的问题排查:

1,下载证书并指定证书访问,结果提示证书过期。

root@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
verify error:num=10:certificate has expired
notAfter=Dec 19 00:00:00 2016 GMT
verify return:1
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
notAfter=Dec 19 00:00:00 2016 GMT
verify return:1
quit

root@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

 

2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired

root@1e398e2637b5:/app# curl -v https://www.ygdy8.com/     //容器内
*   Trying 104.233.229.10...
* TCP_NODELAY set
* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

root@1e398e2637b5:/app# exit   //退出容器

root@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/   //宿主机内
*   Trying 156.238.183.80...
* TCP_NODELAY set
* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=www.ygdy8.com
*  start date: Nov  3 00:00:00 2019 GMT
*  expire date: Nov  2 12:00:00 2020 GMT
*  subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com"
*  issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.ygdy8.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Content-Location: https://www.ygdy8.com/index.htm
< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT
< Accept-Ranges: bytes
< ETag: "806afc26ca0d51:802"
< Server: Microsoft-IIS/6.0
< Date: Wed, 04 Dec 2019 06:53:23 GMT
< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9)
< Content-Length: 56
< Connection: close
<
<meta http-equiv="refresh" content="1;URL=index.html">
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
root@qyi-58abe6739f7ae:~#

 

3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。

找不到一个满意的昵称的主页 找不到一个满意的昵称 | 菜鸟二级 | 园豆:243
提问于:2019-12-05 16:06
< >
分享
最佳答案
0

可能是因为 openssl 版本或者配置问题

容器内

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

宿主机内

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
收获园豆:30
dudu | 高人七级 |园豆:30585 | 2019-12-05 16:47

容器内更新openssl相当麻烦,装了N个包之后总算更新到跟宿主机一致的1.1.1版本,结果当然是不行。最后我结合之前排查的两个点解决了问题。

1,先修改host使域名解析到正确的IP(至于为什么会解析到一个错误的IP我还没搞清楚,可能是之前的缓存)

2,然后根据https://curl.haxx.se/docs/sslcerts.html,下载证书openssl s_client -showcerts -servername server -connect server:443 > cacert.pem

之前从错误的服务器(IP)上下载的证书所以不行,指定了正确的IP之后就正常了。

找不到一个满意的昵称 | 园豆:243 (菜鸟二级) | 2019-12-06 14:57
其他回答(1)
0

对比一下你的服务器A和服务器B上的镜像的签名是否一致,是不是用了latest镜像?两个地方的不一致

收获园豆:10
Timetombs | 园豆:3959 (老鸟四级) | 2019-12-05 18:37

同一镜像。

清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册