Docker容器始终显示ssl连接错误 [英] Docker container always shows ssl connection error

问题描述

我正在开始使用docker compose，并且一直在通过简单的演示烧瓶应用程序进行工作.关键是，我是从一个组织内部运行此组织的，该组织拦截所有通信，并以向左和向右抛出SSL错误的方式进行.它们为我们提供了三个我们需要安装的根证书，而我通常已经在我自己的机器上运行了这些根证书，但是当我让它们在docker-compose部署中工作时我迷失了.

I'm getting started with docker compose and have been working through the simple demo flask application. The thing is, I'm running this from inside of an organization that intercepts all communication in such a way that SSL errors are thrown right and left. They provide us with three root certificates we need to install, and I've generally got these working on my own machine, but I'm lost when it comes to getting these to work inside docker-compose deployments.

当我运行docker-compose up时，我得到以下信息:

When I run docker-compose up, I get the following:

$ sudo docker-compose up 
Creating network "project_default" with the default driver
Building web
Step 1/5 : FROM python:3.4-alpine
3.4-alpine: Pulling from library/python
81033e7c1d6a: Pull complete
9b61101706a6: Pull complete
415e2a07c89b: Pull complete
f22df7a3f000: Pull complete
8c16bf19c1f9: Pull complete
Digest: sha256:fe436cb066394d81cf49448a04dec7c765082445a500bc44f1ae5e8a455793bd
Status: Downloaded newer image for python:3.4-alpine
 ---> 5c72717ec319
Step 2/5 : ADD . /code
 ---> a5790c0e3e94
Removing intermediate container 052c614e41d0
Step 3/5 : WORKDIR /code
 ---> a2ea9acb3005
Removing intermediate container 77f2375ca0a6
Step 4/5 : RUN pip install -r requirements.txt
 ---> Running in 5f4fe856776d
Collecting flask (from -r requirements.txt (line 1))
  Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1d30>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=3, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f19b0>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=2, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1828>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=1, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1588>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1390>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Could not find a version that satisfies the requirement flask (from -r requirements.txt (line 1)) (from versions: )
No matching distribution found for flask (from -r requirements.txt (line 1))

Pip无法安装任何内容.

Pip fails to install anything.

docker-compose.yml文件如下所示:

The docker-compose.yml file looks like this:

version: '3'
services:
  web:
    build: .
    ports:
     - "5000:5000"
  redis:
    image: "redis:alpine"

主Dockerfile如下所示:

And the main Dockerfile looks like this:

FROM python:3.4-alpine
ADD . /code
WORKDIR /code
RUN pip install -r requirements.txt
CMD ["python", "app.py"]

在这种特殊情况下，是否有任何方法可以使这项工作奏效?是否存在针对此类问题的通用解决方案，该解决方案将使我能够传递到已部署SSL证书的任何容器中并加以使用?

Is there any way to be able to make this work in this particular case? Is there a general solution to this sort of problem that would allow me to pass to any container deployed the SSL certificates and have them be used?

推荐答案

这实际上不是特定于docker的问题:实际上，您是在问如何在Linux下安装证书颁发机构"?不管您是在容器内部还是外部运行ssl客户端，答案都是相同的.

This isn't really a docker-specific question: you are asking, in effect, "how do I install certificate authorities under Linux"? The answer is going to be the same regardless of whether you are running your ssl client inside or outside of a container.

您的Python映像基于alpine，并且alpine使用"ca-certificates"包来管理CA证书.要安装本地CA证书，您需要(a)将它们复制到/usr/share/ca-certificates 目录中，并(b)运行 update-ca-certificates .

Your Python image is based on alpine, and alpine uses the "ca-certificates" package to manage CA certificiates. To install your local CA certificates, you would need to (a) copy them into the /usr/share/ca-certificates directory and (b) run update-ca-certificates.

例如，在Dockerfile中添加类似的内容(在 pip安装之前):

For example, adding something like this to your Dockerfile (before your pip install):

COPY company-ca.crt /usr/share/ca-certificates
RUN update-ca-certificates

这篇关于Docker容器始终显示ssl连接错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！