Docker容器始终显示ssl连接错误

nqwrtyyt  于 2022-11-24  发布在  Docker
关注(0)|答案(4)|浏览(442)

我刚开始使用docker compose,并一直在使用这个简单的demo flask应用程序。问题是,我在一个组织内部运行这个应用程序,它拦截所有的通信,以这样一种方式抛出SSL错误。它们为我们提供了三个需要安装的根证书,我通常在自己的机器上使用这些证书。但是当涉及到如何让这些在停靠组合部署中工作时,我就不明白了。
当我运行docker-compose时,我得到以下结果:

$ sudo docker-compose up 
Creating network "project_default" with the default driver
Building web
Step 1/5 : FROM python:3.4-alpine
3.4-alpine: Pulling from library/python
81033e7c1d6a: Pull complete
9b61101706a6: Pull complete
415e2a07c89b: Pull complete
f22df7a3f000: Pull complete
8c16bf19c1f9: Pull complete
Digest: sha256:fe436cb066394d81cf49448a04dec7c765082445a500bc44f1ae5e8a455793bd
Status: Downloaded newer image for python:3.4-alpine
 ---> 5c72717ec319
Step 2/5 : ADD . /code
 ---> a5790c0e3e94
Removing intermediate container 052c614e41d0
Step 3/5 : WORKDIR /code
 ---> a2ea9acb3005
Removing intermediate container 77f2375ca0a6
Step 4/5 : RUN pip install -r requirements.txt
 ---> Running in 5f4fe856776d
Collecting flask (from -r requirements.txt (line 1))
  Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1d30>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=3, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f19b0>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=2, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1828>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=1, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1588>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1390>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Could not find a version that satisfies the requirement flask (from -r requirements.txt (line 1)) (from versions: )
No matching distribution found for flask (from -r requirements.txt (line 1))

Pip安装任何东西都失败。
docker-compose.yml文件如下所示:

version: '3'
services:
  web:
    build: .
    ports:
     - "5000:5000"
  redis:
    image: "redis:alpine"

主Dockerfile如下所示:

FROM python:3.4-alpine
ADD . /code
WORKDIR /code
RUN pip install -r requirements.txt
CMD ["python", "app.py"]

在这种情况下,是否有任何方法可以使其工作?是否有一个通用的解决方案可以解决这类问题,允许我将SSL证书传递到任何部署的容器,并使用它们?

f5emj3cl

f5emj3cl1#

在我的情况下,我必须添加在我的Dockerfile这些句子:

COPY company.crt /usr/local/share/ca-certificates/company.crt
RUN update-ca-certificates
...
RUN pip install --cert /etc/ssl/certs/company.pem -r requirements.txt

您需要贵公司的证书为.crt格式。当docker执行update-ca-certificates时,linux将在以下路径中创建一个同名的.pem文件:/etc/ssl/certs/。它将在SSL中的pip之间转换网络。

a14dhokn

a14dhokn2#

这并不是一个针对 Docker 的问题:您实际上是在问“如何在Linux下安装证书颁发机构”?2无论您是在容器内部还是外部运行ssl客户端,答案都是一样的。
Python映像基于alpine,alpine使用“ca-certificates”包来管理CA证书。要安装本地CA证书,您需要(a)将它们复制到/usr/share/ca-certificates目录中,(b)运行update-ca-certificates
例如,将类似以下内容添加到您的Dockerfile(在您的pip install之前):

COPY company-ca.crt /usr/share/ca-certificates
RUN update-ca-certificates
mf98qq94

mf98qq943#

在我的例子中,主机的MTU是1450,Docker的MTU是1500。
这导致Docker将MSS设置为1460,然后TLS“服务器hello”数据包大于1450字节,因此主机将其丢弃。
如果你的情况也是如此,在你的Docker容器和你的主机上运行ifconfig。如果主机的MTU小于1500,很容易遇到这种丢弃数据包的情况。特别是在HTTPS中,因为“服务器hello”需要发送证书,这是一个大数据包

qxsslcnc

qxsslcnc4#

我试图从我的Go代码中的API读取数据,我遇到了类似的ssl错误:

x509: certificate signed by unknown authority

我的容器是基于debian:stretch的,它真的很小~ 100 MB。当ca-certificates没有安装时会发生这种情况。我安装了ca-certificates(它也安装了openssl),如下所示:

FROM debian:stretch

RUN apt-get update && apt-get install -y ca-certificates --no-install-recommends && rm -rf /var/lib/apt/lists/*

# ...

这也适用于可能未安装ca-certificates的任何其他基本映像。

相关问题