SSL证书验证在特定服务器上的Docker容器内失败 [英] SSL certificate verification fails inside docker container on specific server
问题描述
我遇到了一个奇怪的证书问题,我不知道如何调试。当我在一台特定服务器上的docker容器内运行wget时,它无法验证证书。相同的wget在服务器计算机本身(外部docker)上运行良好,并且在不同服务器上的同一docker容器内运行。
I'm running into a strange problem with certificates that I can't figure out how to debug. When I run wget inside of a docker container on one specific server it cannot verify certificates. The same wget works fine on the server machine itself (outside docker) and it works inside that same docker container on different servers.
以下是docker容器的设置:
Here's the setup for the docker container:
docker run --rm -ti debian:jessie bash
apt-get update
apt-get install wget
wget https://google.com
响应为:
converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com' (UTF-8)
--2016-06-22 14:22:02-- https://google.com/
Resolving google.com (google.com)... 216.58.217.142, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|216.58.217.142|:443... connected.
ERROR: The certificate of 'google.com' is not trusted.
ERROR: The certificate of 'google.com' hasn't got a known issuer.
The certificate's owner does not match hostname 'google.com'
由于该相同过程有效在其他服务器上,问题似乎只能是该服务器本身的某些证书问题。但是我必须感到困惑:为什么服务器本身的证书与Docker容器内部发生的事情有什么关系?
Since this same process works on other servers, it seems like the problem could only be some certificate problem on that server itself. But I must be confused: why should the certificates on the server itself have anything to do with what's happening inside of the docker container?
我真的很感谢对此有任何见解,特别是我可以用来更好地理解问题的所有调试步骤。
I would really appreciate any insight into this, in particular any debugging steps I can take to understand the problem better.
推荐答案
Docker使用iptables。
Docker uses iptables.
如果设置了iptable规则,则可以将每个https请求定向到您自己的运行服务器。
If you have iptable rules set up it's possible to direct EVERY https request to your own running server.
例如,如果您在本地运行jenkins并使用iptables将443重定向到默认的8080端口,则所有到443端口的容器流量都将重定向到该本地jenkins服务器,该服务器将无法验证您的证书。
当使用Jenkins构建我们的docker镜像时,我们遇到了这个问题。我们的jenkins使用iptables绕过以root身份运行jenkins。
If you are, for example, running jenkins locally and using iptables to redirect 443 to default 8080 port than all your container traffic to port 443 ports will be redirected to that local jenkins server which will be unable to verify your certificate. We ran into this problem when using Jenkins to build our docker images. our jenkins used iptables to get around running jenkins as root.
这篇关于SSL证书验证在特定服务器上的Docker容器内失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
