so I am working behind a corporate Proxy that uses it's own, self-signed certificates.
What I did was editing ~/.curlc so that it is configured to use my proxy, as well as setting the environment variables http_proxy and https_proxy.
Then I installed the proxy's ca certificate by moving it into \etc\ssl\certs and creating the link to its hash via ln -s my_ca.pem `openssl x509 -hash -noout -in my_ca.pem`.0.
So now I can curl and wget and everything works fine.
Next I created the directory /etc/systemd/system/docker.service.d and created a new file in it called http-proxy.conf:
[Service]
Environment= "HTTP_PROXY=http://user:pass#proxy.corp.net:3128/" "HTTPS_PROXY=https://user:pass#proxy.corp.net:3128/"
After doing that docker search works as it should but I still cannot pull a container from the official registry.
systemctl status docker tells me: Download failed, retrying: x509: certificate signed by unknown authority
So I really don't know what else I can do for it to work. Maybe anybody on here has an idea?
EDIT
The full output of a docker pull call when running the docker daemon in debug mode:
DEBU[0092] Calling GET /v1.22/info
DEBU[0092] GET /v1.22/info
DEBU[0092] Calling POST /v1.22/images/create
DEBU[0092] POST /v1.22/images/create?fromImage=httpd%3Alatest
DEBU[0092] Trying to pull httpd from https://registry-1.docker.io v2
DEBU[0093] Increasing token expiration to: 0 seconds
DEBU[0094] Pulling ref from V2 registry: httpd:latest
DEBU[0094] pulling blob "sha256:7268d8f794c449e593d3a48f62e7e22b7c3a4b6e615caaf9494ec3cb2d48f503"
DEBU[0094] pulling blob "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
DEBU[0094] pulling blob "sha256:5d77cae53716e669a240114fc676b26cb052cb325078c869f884cab8a658be17"
ERRO[0095] Download failed, retrying: x509: certificate signed by unknown authority
ERRO[0095] Download failed, retrying: x509: certificate signed by unknown authority
ERRO[0095] Download failed, retrying: x509: certificate signed by unknown authority
...
Related
Environment: Azure Kubernetes Cluster
Container: Dotnetcore 2.2 Linux
The dot-net core application was able to query the external partner API endpoint but suddenly it started throwing the below is the mentioned exception
ExceptionId: c6c603bb-91cc-4556-98bf-d747903f522a. Error Message: The SSL connection could not be established, see inner exception.. Error Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Also tried the curl command from inside busybox pod and getting this error
Curl command : curl --location --request GET 'external url' --header 'Authorization: token'
Error:
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Note:
Other partner API calls are working fine, except this particular partner but the curl from the local system is working. From Pod, it is throwing an error.
What can be the issue:
External partner SSL expired. Which the partner is saying that it has not
External partner SSL is cached and now invalid in Kubernetes
Kubernetes configuration is the problem. What can be the correct one
Trying to get up SSL for prometheus (started via docker). I generated key and crt myself using open ssl. Pair: key and crt works ok.
when I execute this command on my host:
openssl s_server -cert prometheus.crt -key prometheus.key
It's saying "ACCEPT"
Here is my Dockerfile for prometheus container:
https://pastebin.com/4wGtCGp6
When I build image and start it, it's saying:
level=error ts=2021-09-24T20:44:11.649Z caller=stdlib.go:105 component=web caller="http: TLS handshake error from 127.0.0.1:50458" msg="remote error: tls: bad certificate"
кричит постоянно
In the web.yml I configure SSL in a following way:
tls_server_config:
cert_file: /etc/prometheus/prometheus.crt
key_file: /etc/prometheus/prometheus.key
In the prometheus.yml I configure SSL in a following way:
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
scheme: https
tls_config:
ca_file: /etc/prometheus/prometheus.crt
cert_file: /etc/prometheus/prometheus.crt
key_file: /etc/prometheus/prometheus.key
What could be the reason of this error ?
If it's self-signed, you shouldn't need a CA file, so try deleting that line in the tls_config and restarting the container.
I know this is old, so apologies if it's bad to answer an old question. Feel free to delete.
I have a website that is hosted behind company's network. You could only connect to it using the client.crt and client.key. This client.crt is signed by a self signed ca.crt which is referenced in the apache config file.
I installed the server certificate (servercrt.crt) on my machine and can make a curl request with no issues:
curl https://my_url.com:53234 --cert path/to/client.crt --key path/to/client.key
I also imported the client.crt in the browser. When navigate to the url the browser asks to select the client certificate. Once selected the right client certificate, it opens up the page without issues.
However, I have problems with python. When I try to connect using python:
import requests
clientcertfile = './client.crt'
clientcertkeyfile = './client.key'
servercert = './servercert.pem'
requests.get(url='https://my_url.com:53234, cert= (clientcertfile, clientcertkeyfile), verify = servercert)
I get the following error:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')
But, I can connect to this url when set the verify=False which I don't want. The requests package just displays a warning that its better not to set the verify=False option.
I have looked at here, here and here but no joy.
Any ideas?
Apparently, I was using the wrong ca.crt for the server. Once I replaced it with the right certificate. It fixed the issue.
#Steffen's comment helped solved the issue.
I've tried to follow the following tutorial to setup our own private registry (v2) on an AWS Centos machine.
I've self signed a TLS certificate and placed it in /etc/docker/certs.d/MACHINE_STATIS_IP:5000/
When trying to login the registry (docker login MACHINE_IP:5000) or push a tagged repository (MACHINE_IP:5000/ubuntu:latest) i get the following error :
Error response from daemon: Get https://MACHINE_IP:5000/v1/users/: x509: cannot validate certificate for MACHINE_IP because it doesn't contain any IP SANs
Tried to search for an answer for 2 days, however I couldn't find any.
I've set the certificate CN (common name) to MACHINE_STATIC_IP:5000
When using a self signed TLS certificate docker daemon require you to add the certificate to it's known certificates.
Use the keytool command to grab the certificate :
keytool -printcert -sslserver ${NEXUS_DOMAIN}:${SSL_PORT} -rfc > ${NEXUS_DOMAIN}.crt
And copy it your client's machine SSL certificates directory (in my case - ubuntu):
sudo cp ${NEXUS_DOMAIN}.crt /usr/local/share/ca-certificates/${NEXUS_DOMAIN}.crt && sudo update-ca-certificates
Now reload docker daemon and you're good to go :
sudo systemctl restart docker
You can also use the following command to temporarily trust the certificate without adding it your system certificates.
docker --tlscert <the downloaded tls cert> pull <whatever you want to pull>
I am using Artifactory backed up by nginx as the proxy server. The nginx load balancer is configured with SSL certs from a trusted authority. I created a local docker repo and need to push images but get the following error:
unable to ping registry endpoint https://myArtifactory.com/v0/
v2 ping attempt failed with error: Get https://myArtifactory.com/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://myArtifactory.com/v1/_ping: x509: certificate signed by unknown authority
I am using the following command to push images
docker push myArtifactory.com/ubuntu
Fixed this bya dding the certificate to the docker client under /etc/docker/certs.d