X509解析错误,“负序列号”,同时拉仓库 [英] X509 parsing error, 'negative serial number' while pulling repository
问题描述
sudo docker运行-t -i ubuntu:14.04 / bin / bash
我得到以下错误:
获取https://index.docker.io/v1/repositories/ubuntu/images:tls:无法从服务器解析
证书:x509:负序列号
wget命令 wget -S -d -O - https://get.docker.io 产生以下输出:
设置 - 输出文档(输出文档)到 - DEBUG输出创建
by Wget 1.13.4 on linux-gnu。
URI encoding =
UTF-8'URI encoding =UTF -8'
--2014-08-27 17:13:46-- https://get.docker .io / 连接到... ...已连接。创建套接字3.释放
0x00000000016829f0(新引用计数0)。删除未使用的
0x00000000016829f0。
---请求开始--- CONNECT get.docker.io:443 HTTP / 1.1 User-Agent:Wget / 1.13。 4(linux-gnu)代理授权:基本
Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ ==
---请求结束---代理回复:[HTTP / 1.1 200连接建立日期:Wed,27 Aug 2014 11:49:52 GMT时间:0 Via:1.0
xaahshshhds
]启动SSL握手。握手成功;连接插座3
到SSL句柄0x00000000016831c0证书:subject:
/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN= get.docker.io
issuer:
/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
错误:无法验证get.docker.io的证书,由
/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU发出= mycompany / CN = mycompany':- 不支持证书'。关闭3 / SSL
无法在本地验证发行人的权限。要连接到
get.docker.io不安全,请使用
0x00000000016831c0
请给我一些关于我应该如何处理这个问题的指导。
编辑:
我现在已经禁用了这个IP段的代理,但是我仍然得到同样的错误。
命令: wget -S -d -O - https://get.docker.io 现在得到以下输出:
设置 - 输出文档(outputdocument)为
由linux-gnu上的Wget 1.13.4创建的DEBUG输出。
URI encoding =`UTF-8'
--2014-09-04 11:26:12 - https://get.docker.io/
解决get .docker.io(get.docker.io)... 162.242.195.77
缓存get.docker.io => 162.242.195.77
连接到get.docker.io(get.docker.io)| 162.242.195.77 |:443 ...已连接。
创建套接字3.
释放0x00000000022d8fd0(新引用计数1)。
启动SSL握手
握手成功;连接的套接字3到SSL句柄0x00000000022dabd0
证书:
主题:/ serialNumber = exkd9EjUozUulWIyUDurQPMEPBLSc2Bq / OU = GT98568428 / OU =请参阅www.rapidssl.com/resources/cps(c)13 / OU =域控制验证 - RapidSSL(R)/ CN = *。docker.io
颁发者:/ C = US / O = GeoTrust,Inc./CN=RapidSSL CA
X509证书成功验证并匹配主机get.docker。 io
---请求开始---
GET / HTTP / 1.1
用户代理:Wget / 1.13.4(linux-gnu)
接受: * / *
主机:get.docker.io
连接:Keep-Alive
---请求结束---
发送HTTP请求,等待响应。
---响应开始---
HTTP / 1.1 503服务不可用
服务器:nginx / 1.7.1
日期:星期四,04九月2014 06:03: 28 GMT
内容类型:text / html
传输编码:chunked
连接:keep-alive
缓存控制:无缓存
---响应结束---
HTTP / 1.1 503服务不可用
服务器:nginx / 1.7.1
日期:星期四,04九月2014 06:03: 28 GMT
内容类型:text / html
传输编码:chunked
连接:keep-alive
缓存控制:无缓存
注册套接字3为持久重用。
跳过身体的108个字节:[< html>< body>< h1> 503服务不可用< / h1>
没有服务器可用于处理此请求。
< / body>< / html>
]完成。
2014-09-04 11:26:13错误503:服务不可用。
/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io
发行人:/emailAddress=aaa@bbbb.com / C = yy / ST = aa / L = xx / O = yy / OU = mycompany / CN = mycompany
您的公司中的代理服务器看起来像使用SSL拦截来检查SSL流量,这意味着您将获得由贵公司的代理CA签名而不是原始证书的证书。它也看起来像这个代理CA不被您的系统信任,因此验证失败。
我建议您与防火墙管理员联系如何处理问题。他们会添加SSL检查的例外情况,或者他们会告诉您需要在系统中导入哪些证书作为受信任的人。
Our server access internet through a proxy. When I try to run a pull command such as
sudo docker run -t -i ubuntu:14.04 /bin/bash
I get the below error:
Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse
certificate from server: x509: negative serial number
The wget command wget -S -d -O - https://get.docker.io yields the below output:
Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding =
UTF-8' URI encoding =UTF-8' --2014-08-27 17:13:46-- https://get.docker.io/ Connecting to :... connected. Created socket 3. Releasing 0x00000000016829f0 (new refcount 0). Deleting unused 0x00000000016829f0.---request begin--- CONNECT get.docker.io:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Proxy-Authorization: Basic Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ==
---request end--- proxy responded with: [HTTP/1.1 200 Connection established Date: Wed, 27 Aug 2014 11:49:52 GMT Age: 0 Via: 1.0 xaahshshhds
] Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x00000000016831c0 certificate: subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany ERROR: cannot verify get.docker.io's certificate, issued by
/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use--no-check-certificate'. Closed 3/SSL 0x00000000016831c0
Please give me some directions on how I should go about this issue.
EDIT:
I ve now disabled the proxy for this IP segment but I still get the same error.
The command: wget -S -d -O - https://get.docker.io gets the below output now:
Setting --output-document (outputdocument) to -
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-09-04 11:26:12-- https://get.docker.io/
Resolving get.docker.io (get.docker.io)... 162.242.195.77
Caching get.docker.io => 162.242.195.77
Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected.
Created socket 3.
Releasing 0x00000000022d8fd0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0
certificate:
subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer: /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
X509 certificate successfully verified and matches host get.docker.io
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: get.docker.io
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 503 Service Unavailable
Server: nginx/1.7.1
Date: Thu, 04 Sep 2014 06:03:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
---response end---
HTTP/1.1 503 Service Unavailable
Server: nginx/1.7.1
Date: Thu, 04 Sep 2014 06:03:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Registered socket 3 for persistent reuse.
Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
] done.
2014-09-04 11:26:13 ERROR 503: Service Unavailable.
subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io
issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
It looks like the proxy in your company uses SSL interception to inspect SSL traffic, which means that you get a certificate signed by the proxy CA of your company instead of the original certificate. It also looks like that this proxy CA is not trusted by your system and thus the verification fails.
I would recommend that you contact your firewall administrator on how to deal with the problem. Either they will add an exception for the SSL inspection, or they will tell you which certificate you need to import as trusted in your system.
这篇关于X509解析错误,“负序列号”,同时拉仓库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
