ubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题
问题:
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问
<meta http-equiv="refresh" content="1;URL=index.html">
root@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash
root@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
...
root@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常
<!DOCTYPE html><!--STATUS OK--><html>...</html>
root@1e398e2637b5:/app#
期望:
期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果
自己尝试过的问题排查:
1,下载证书并指定证书访问,结果提示证书过期。
root@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI verify error:num=10:certificate has expired notAfter=Dec 19 00:00:00 2016 GMT verify return:1 depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI notAfter=Dec 19 00:00:00 2016 GMT verify return:1 quit root@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.haxx.se/docs/sslcerts.html
2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired
root@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内 * Trying 104.233.229.10... * TCP_NODELAY set * Connected to www.ygdy8.com (104.233.229.10) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.0 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (OUT), TLS alert, Server hello (2): * SSL certificate problem: self signed certificate * Curl_http_done: called premature == 1 * stopped the pause stream! * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html root@1e398e2637b5:/app# exit //退出容器 root@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内 * Trying 156.238.183.80... * TCP_NODELAY set * Connected to www.ygdy8.com (156.238.183.80) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=www.ygdy8.com * start date: Nov 3 00:00:00 2019 GMT * expire date: Nov 2 12:00:00 2020 GMT * subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com" * issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA * SSL certificate verify ok. > GET / HTTP/1.1 > Host: www.ygdy8.com > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html < Content-Location: https://www.ygdy8.com/index.htm < Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT < Accept-Ranges: bytes < ETag: "806afc26ca0d51:802" < Server: Microsoft-IIS/6.0 < Date: Wed, 04 Dec 2019 06:53:23 GMT < X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9) < Content-Length: 56 < Connection: close < <meta http-equiv="refresh" content="1;URL=index.html"> * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): root@qyi-58abe6739f7ae:~#
3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。
可能是因为 openssl 版本或者配置问题
容器内
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
宿主机内
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
容器内更新openssl相当麻烦,装了N个包之后总算更新到跟宿主机一致的1.1.1版本,结果当然是不行。最后我结合之前排查的两个点解决了问题。
1,先修改host使域名解析到正确的IP(至于为什么会解析到一个错误的IP我还没搞清楚,可能是之前的缓存)
2,然后根据https://curl.haxx.se/docs/sslcerts.html,下载证书openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
之前从错误的服务器(IP)上下载的证书所以不行,指定了正确的IP之后就正常了。
对比一下你的服务器A和服务器B上的镜像的签名是否一致,是不是用了latest镜像?两个地方的不一致
同一镜像。