Docker 无法使用 HTTPS 导航到网站。

huangapple go评论69阅读模式
英文:

docker unable to navigate to a web site using https

问题

我有以下简单的Docker文件:

FROM mcr.microsoft.com/windows/servercore:ltsc2019

WORKDIR /azp

COPY test.ps1 .

CMD powershell .\test.ps1

其中test.ps1的内容如下:

C:\test> cat .\test.ps1
curl https://cnn.com -UseBasicParsing

这个脚本在我的机器上可以正常运行,但在Docker容器中却无法运行:

C:\test> docker build -t test:latest .
Sending build context to Docker daemon  75.26kB
Step 1/4 : FROM mcr.microsoft.com/windows/servercore:ltsc2019
 ---> 782a75e44953
Step 2/4 : WORKDIR /azp
 ---> Using cache
 ---> b43270631602
Step 3/4 : COPY test.ps1 .
 ---> Using cache
 ---> 10cfc66cff37
Step 4/4 : CMD powershell .\test.ps1
 ---> Using cache
 ---> 187be18c5495
Successfully built 187be18c5495
Successfully tagged test:latest
C:\test> docker run test
curl : The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.
At C:\azp\test.ps1:1 char:1
+ curl https://cnn.com -UseBasicParsing
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:Htt
   pWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
   ll.Commands.InvokeWebRequestCommand

请注意,将https://cnn.comhttps)替换为http://google.comhttp)可以正常工作,因此这明显与https有关。

我漏掉了什么?

附注:

我使用的是Windows 10,最新的Docker已切换为使用Windows容器。

英文:

I have the following trivial docker file:

FROM mcr.microsoft.com/windows/servercore:ltsc2019

WORKDIR /azp

COPY test.ps1 .

CMD powershell .\test.ps1

Where test.ps1 is:

C:\test> cat .\test.ps1
curl https://cnn.com -UseBasicParsing

The script can run just fine on my machine, but not in a docker container:

C:\test> docker build -t test:latest .
Sending build context to Docker daemon  75.26kB
Step 1/4 : FROM mcr.microsoft.com/windows/servercore:ltsc2019
 ---> 782a75e44953
Step 2/4 : WORKDIR /azp
 ---> Using cache
 ---> b43270631602
Step 3/4 : COPY test.ps1 .
 ---> Using cache
 ---> 10cfc66cff37
Step 4/4 : CMD powershell .\test.ps1
 ---> Using cache
 ---> 187be18c5495
Successfully built 187be18c5495
Successfully tagged test:latest
C:\test> docker run test
curl : The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.
At C:\azp\test.ps1:1 char:1
+ curl https://cnn.com -UseBasicParsing
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:Htt
   pWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
   ll.Commands.InvokeWebRequestCommand

Note that replacing https://cnn.com (https) with http://google.com (http) works, so this is clearly something about the https.

What am I missing?

P.S.

I am using Windows 10 with the most recent docker switched to use windows containers.

答案1

得分: 2

以下是已翻译的部分:

我成功让https://google.com工作,按照以下步骤操作:

  1. 转到https://google.com并检查根证书。这是一个带有指纹75E0ABB6138512271C04F85FDDDE38E4B7242EFE的证书。
  2. 将上述证书以及ZScaler根证书(D72F47D87420E3F0F9BDCAC6F03A566743C481B9)导出到一个特殊目录,该目录将包含在位于C:\containers下的映像中。
  3. 修改test.ps1脚本 - 请参见下文。
  4. 修改Dockerfile脚本 - 请参见下文。

test.ps1

Get-ChildItem /certificates | ForEach-Object {
    $null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
}

$res = Invoke-WebRequest https://google.com -UseBasicParsing
$res.StatusDescription

Dockerfile

FROM mcr.microsoft.com/windows/servercore:ltsc2019
COPY certificates certificates
WORKDIR /azp
COPY test.ps1 .
CMD powershell .\test.ps1

因此,在主机上运行以下命令:

C:\test> $certs = dir Cert:\LocalMachine\Root |? { $_.Thumbprint -eq '75E0ABB6138512271C04F85FDDDE38E4B7242EFE' -or $_.Thumbprint -eq 'D72F47D87420E3F0F9BDCAC6F03A566743C481B9' }
C:\test> $certs

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
D72F47D87420E3F0F9BDCAC6F03A566743C481B9  E=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, S=California, C=US
75E0ABB6138512271C04F85FDDDE38E4B7242EFE  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

C:\test> $certs |% { Export-Certificate -FilePath "c:\test\certificates\$($_.Thumbprint).cer" -Cert $_ }

    Directory: C:\test\certificates

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/5/2020   8:40 PM           1239 D72F47D87420E3F0F9BDCAC6F03A566743C481B9.cer
-a----         1/5/2020   8:40 PM            958 75E0ABB6138512271C04F85FDDDE38E4B7242EFE.cer

C:\test> docker run test
OK
C:\test>
英文:

So I managed to make it work for https://google.com by following these steps:

  1. Navigate to https://google.com and check what is the root certificate. It is a certificate with thumbprint 75E0ABB6138512271C04F85FDDDE38E4B7242EFE
  2. Export the aforementioned certificate as well as the ZScaler root certificate (D72F47D87420E3F0F9BDCAC6F03A566743C481B9) to a special directory that will be included in the image under C:\containers.
  3. Modify the test.ps1 script - see below.
  4. Modify the Dockerfile script - see below.

test.ps1

Get-ChildItem /certificates | ForEach-Object {
    $null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
}

$res = Invoke-WebRequest https://google.com -UseBasicParsing
$res.StatusDescription

Dockerfile

FROM mcr.microsoft.com/windows/servercore:ltsc2019
COPY certificates certificates
WORKDIR /azp
COPY test.ps1 .
CMD powershell .\test.ps1

So, on the host machine I run the following commands:

C:\test> $certs = dir Cert:\LocalMachine\Root |? { $_.Thumbprint -eq '75E0ABB6138512271C04F85FDDDE38E4B7242EFE' -or $_.Thumbprint -eq 'D72F47D87420E3F0F9BDCAC6F03A566743C481B9' }
C:\test> $certs


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
D72F47D87420E3F0F9BDCAC6F03A566743C481B9  E=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, S=California, C=US
75E0ABB6138512271C04F85FDDDE38E4B7242EFE  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2


C:\test> $certs |% { Export-Certificate -FilePath "c:\test\certificates$($_.Thumbprint).cer" -Cert $_ }


    Directory: C:\test\certificates


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/5/2020   8:40 PM           1239 D72F47D87420E3F0F9BDCAC6F03A566743C481B9.cer
-a----         1/5/2020   8:40 PM            958 75E0ABB6138512271C04F85FDDDE38E4B7242EFE.cer


C:\test> docker run test
OK
C:\test>

答案2

得分: 1

It looks like your container is not able to verify TLS server certificate. Probably CA certificates (maybe they have different technical term in the Windows) are missing in the container.

You can:

  • -SkipCertificateCheck (available from PowerShell V6.0+), so TLS cert verification will be skipped - good choice for development, but it will sacrifice security partially
  • "在容器中挂载 Windows 主机的证书存储" - Docker 论坛
英文:

It looks like your container is not able to verify TLS server certificate. Probably CA certificates (maybe they have different technical term in the Windows) are missing in the container.

You can:

  • -SkipCertificateCheck (available from PowerShell V6.0+), so TLS cert verification will be skipped - good choice for development, but it will sacrifice security partially

  • "mount Windows hosts certificate store in container" - Docker forum

huangapple
  • 本文由 发表于 2020年1月4日 12:46:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/59587973.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定