Docker 无法使用 HTTPS 导航到网站。

huangapple go评论74阅读模式
英文:

docker unable to navigate to a web site using https

问题

我有以下简单的Docker文件:

  1. FROM mcr.microsoft.com/windows/servercore:ltsc2019
  2. WORKDIR /azp
  3. COPY test.ps1 .
  4. CMD powershell .\test.ps1

其中test.ps1的内容如下:

  1. C:\test> cat .\test.ps1
  2. curl https://cnn.com -UseBasicParsing

这个脚本在我的机器上可以正常运行,但在Docker容器中却无法运行:

  1. C:\test> docker build -t test:latest .
  2. Sending build context to Docker daemon 75.26kB
  3. Step 1/4 : FROM mcr.microsoft.com/windows/servercore:ltsc2019
  4. ---> 782a75e44953
  5. Step 2/4 : WORKDIR /azp
  6. ---> Using cache
  7. ---> b43270631602
  8. Step 3/4 : COPY test.ps1 .
  9. ---> Using cache
  10. ---> 10cfc66cff37
  11. Step 4/4 : CMD powershell .\test.ps1
  12. ---> Using cache
  13. ---> 187be18c5495
  14. Successfully built 187be18c5495
  15. Successfully tagged test:latest
  16. C:\test> docker run test
  17. curl : The underlying connection was closed: Could not establish trust
  18. relationship for the SSL/TLS secure channel.
  19. At C:\azp\test.ps1:1 char:1
  20. + curl https://cnn.com -UseBasicParsing
  21. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  22. + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:Htt
  23. pWebRequest) [Invoke-WebRequest], WebException
  24. + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
  25. ll.Commands.InvokeWebRequestCommand

请注意,将https://cnn.comhttps)替换为http://google.comhttp)可以正常工作,因此这明显与https有关。

我漏掉了什么?

附注:

我使用的是Windows 10,最新的Docker已切换为使用Windows容器。

英文:

I have the following trivial docker file:

  1. FROM mcr.microsoft.com/windows/servercore:ltsc2019
  2. WORKDIR /azp
  3. COPY test.ps1 .
  4. CMD powershell .\test.ps1

Where test.ps1 is:

  1. C:\test> cat .\test.ps1
  2. curl https://cnn.com -UseBasicParsing

The script can run just fine on my machine, but not in a docker container:

  1. C:\test> docker build -t test:latest .
  2. Sending build context to Docker daemon 75.26kB
  3. Step 1/4 : FROM mcr.microsoft.com/windows/servercore:ltsc2019
  4. ---> 782a75e44953
  5. Step 2/4 : WORKDIR /azp
  6. ---> Using cache
  7. ---> b43270631602
  8. Step 3/4 : COPY test.ps1 .
  9. ---> Using cache
  10. ---> 10cfc66cff37
  11. Step 4/4 : CMD powershell .\test.ps1
  12. ---> Using cache
  13. ---> 187be18c5495
  14. Successfully built 187be18c5495
  15. Successfully tagged test:latest
  16. C:\test> docker run test
  17. curl : The underlying connection was closed: Could not establish trust
  18. relationship for the SSL/TLS secure channel.
  19. At C:\azp\test.ps1:1 char:1
  20. + curl https://cnn.com -UseBasicParsing
  21. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  22. + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:Htt
  23. pWebRequest) [Invoke-WebRequest], WebException
  24. + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
  25. ll.Commands.InvokeWebRequestCommand

Note that replacing https://cnn.com (https) with http://google.com (http) works, so this is clearly something about the https.

What am I missing?

P.S.

I am using Windows 10 with the most recent docker switched to use windows containers.

答案1

得分: 2

以下是已翻译的部分:

我成功让https://google.com工作,按照以下步骤操作:

  1. 转到https://google.com并检查根证书。这是一个带有指纹75E0ABB6138512271C04F85FDDDE38E4B7242EFE的证书。
  2. 将上述证书以及ZScaler根证书(D72F47D87420E3F0F9BDCAC6F03A566743C481B9)导出到一个特殊目录,该目录将包含在位于C:\containers下的映像中。
  3. 修改test.ps1脚本 - 请参见下文。
  4. 修改Dockerfile脚本 - 请参见下文。

test.ps1

  1. Get-ChildItem /certificates | ForEach-Object {
  2. $null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
  3. }
  4. $res = Invoke-WebRequest https://google.com -UseBasicParsing
  5. $res.StatusDescription

Dockerfile

  1. FROM mcr.microsoft.com/windows/servercore:ltsc2019
  2. COPY certificates certificates
  3. WORKDIR /azp
  4. COPY test.ps1 .
  5. CMD powershell .\test.ps1

因此,在主机上运行以下命令:

  1. C:\test> $certs = dir Cert:\LocalMachine\Root |? { $_.Thumbprint -eq '75E0ABB6138512271C04F85FDDDE38E4B7242EFE' -or $_.Thumbprint -eq 'D72F47D87420E3F0F9BDCAC6F03A566743C481B9' }
  2. C:\test> $certs
  3. PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
  4. Thumbprint Subject
  5. ---------- -------
  6. D72F47D87420E3F0F9BDCAC6F03A566743C481B9 E=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, S=California, C=US
  7. 75E0ABB6138512271C04F85FDDDE38E4B7242EFE CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
  8. C:\test> $certs |% { Export-Certificate -FilePath "c:\test\certificates\$($_.Thumbprint).cer" -Cert $_ }
  9. Directory: C:\test\certificates
  10. Mode LastWriteTime Length Name
  11. ---- ------------- ------ ----
  12. -a---- 1/5/2020 8:40 PM 1239 D72F47D87420E3F0F9BDCAC6F03A566743C481B9.cer
  13. -a---- 1/5/2020 8:40 PM 958 75E0ABB6138512271C04F85FDDDE38E4B7242EFE.cer
  14. C:\test> docker run test
  15. OK
  16. C:\test>
英文:

So I managed to make it work for https://google.com by following these steps:

  1. Navigate to https://google.com and check what is the root certificate. It is a certificate with thumbprint 75E0ABB6138512271C04F85FDDDE38E4B7242EFE
  2. Export the aforementioned certificate as well as the ZScaler root certificate (D72F47D87420E3F0F9BDCAC6F03A566743C481B9) to a special directory that will be included in the image under C:\containers.
  3. Modify the test.ps1 script - see below.
  4. Modify the Dockerfile script - see below.

test.ps1

  1. Get-ChildItem /certificates | ForEach-Object {
  2. $null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
  3. }
  4. $res = Invoke-WebRequest https://google.com -UseBasicParsing
  5. $res.StatusDescription

Dockerfile

  1. FROM mcr.microsoft.com/windows/servercore:ltsc2019
  2. COPY certificates certificates
  3. WORKDIR /azp
  4. COPY test.ps1 .
  5. CMD powershell .\test.ps1

So, on the host machine I run the following commands:

  1. C:\test> $certs = dir Cert:\LocalMachine\Root |? { $_.Thumbprint -eq '75E0ABB6138512271C04F85FDDDE38E4B7242EFE' -or $_.Thumbprint -eq 'D72F47D87420E3F0F9BDCAC6F03A566743C481B9' }
  2. C:\test> $certs
  3. PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
  4. Thumbprint Subject
  5. ---------- -------
  6. D72F47D87420E3F0F9BDCAC6F03A566743C481B9 E=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, S=California, C=US
  7. 75E0ABB6138512271C04F85FDDDE38E4B7242EFE CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
  8. C:\test> $certs |% { Export-Certificate -FilePath "c:\test\certificates$($_.Thumbprint).cer" -Cert $_ }
  9. Directory: C:\test\certificates
  10. Mode LastWriteTime Length Name
  11. ---- ------------- ------ ----
  12. -a---- 1/5/2020 8:40 PM 1239 D72F47D87420E3F0F9BDCAC6F03A566743C481B9.cer
  13. -a---- 1/5/2020 8:40 PM 958 75E0ABB6138512271C04F85FDDDE38E4B7242EFE.cer
  14. C:\test> docker run test
  15. OK
  16. C:\test>

答案2

得分: 1

It looks like your container is not able to verify TLS server certificate. Probably CA certificates (maybe they have different technical term in the Windows) are missing in the container.

You can:

  • -SkipCertificateCheck (available from PowerShell V6.0+), so TLS cert verification will be skipped - good choice for development, but it will sacrifice security partially
  • "在容器中挂载 Windows 主机的证书存储" - Docker 论坛
英文:

It looks like your container is not able to verify TLS server certificate. Probably CA certificates (maybe they have different technical term in the Windows) are missing in the container.

You can:

  • -SkipCertificateCheck (available from PowerShell V6.0+), so TLS cert verification will be skipped - good choice for development, but it will sacrifice security partially

  • "mount Windows hosts certificate store in container" - Docker forum

huangapple
  • 本文由 发表于 2020年1月4日 12:46:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/59587973.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定