英文:
docker unable to navigate to a web site using https
问题
我有以下简单的Docker文件:
FROM mcr.microsoft.com/windows/servercore:ltsc2019
WORKDIR /azp
COPY test.ps1 .
CMD powershell .\test.ps1
其中test.ps1的内容如下:
C:\test> cat .\test.ps1
curl https://cnn.com -UseBasicParsing
这个脚本在我的机器上可以正常运行,但在Docker容器中却无法运行:
C:\test> docker build -t test:latest .
Sending build context to Docker daemon 75.26kB
Step 1/4 : FROM mcr.microsoft.com/windows/servercore:ltsc2019
---> 782a75e44953
Step 2/4 : WORKDIR /azp
---> Using cache
---> b43270631602
Step 3/4 : COPY test.ps1 .
---> Using cache
---> 10cfc66cff37
Step 4/4 : CMD powershell .\test.ps1
---> Using cache
---> 187be18c5495
Successfully built 187be18c5495
Successfully tagged test:latest
C:\test> docker run test
curl : The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.
At C:\azp\test.ps1:1 char:1
+ curl https://cnn.com -UseBasicParsing
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:Htt
pWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
ll.Commands.InvokeWebRequestCommand
请注意,将https://cnn.com
(https)替换为http://google.com
(http)可以正常工作,因此这明显与https有关。
我漏掉了什么?
附注:
我使用的是Windows 10,最新的Docker已切换为使用Windows容器。
英文:
I have the following trivial docker file:
FROM mcr.microsoft.com/windows/servercore:ltsc2019
WORKDIR /azp
COPY test.ps1 .
CMD powershell .\test.ps1
Where test.ps1 is:
C:\test> cat .\test.ps1
curl https://cnn.com -UseBasicParsing
The script can run just fine on my machine, but not in a docker container:
C:\test> docker build -t test:latest .
Sending build context to Docker daemon 75.26kB
Step 1/4 : FROM mcr.microsoft.com/windows/servercore:ltsc2019
---> 782a75e44953
Step 2/4 : WORKDIR /azp
---> Using cache
---> b43270631602
Step 3/4 : COPY test.ps1 .
---> Using cache
---> 10cfc66cff37
Step 4/4 : CMD powershell .\test.ps1
---> Using cache
---> 187be18c5495
Successfully built 187be18c5495
Successfully tagged test:latest
C:\test> docker run test
curl : The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel.
At C:\azp\test.ps1:1 char:1
+ curl https://cnn.com -UseBasicParsing
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:Htt
pWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe
ll.Commands.InvokeWebRequestCommand
Note that replacing https://cnn.com
(https) with http://google.com
(http) works, so this is clearly something about the https.
What am I missing?
P.S.
I am using Windows 10 with the most recent docker switched to use windows containers.
答案1
得分: 2
以下是已翻译的部分:
我成功让https://google.com工作,按照以下步骤操作:
- 转到https://google.com并检查根证书。这是一个带有指纹
75E0ABB6138512271C04F85FDDDE38E4B7242EFE
的证书。 - 将上述证书以及ZScaler根证书(
D72F47D87420E3F0F9BDCAC6F03A566743C481B9
)导出到一个特殊目录,该目录将包含在位于C:\containers
下的映像中。 - 修改test.ps1脚本 - 请参见下文。
- 修改Dockerfile脚本 - 请参见下文。
test.ps1
Get-ChildItem /certificates | ForEach-Object {
$null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
}
$res = Invoke-WebRequest https://google.com -UseBasicParsing
$res.StatusDescription
Dockerfile
FROM mcr.microsoft.com/windows/servercore:ltsc2019
COPY certificates certificates
WORKDIR /azp
COPY test.ps1 .
CMD powershell .\test.ps1
因此,在主机上运行以下命令:
C:\test> $certs = dir Cert:\LocalMachine\Root |? { $_.Thumbprint -eq '75E0ABB6138512271C04F85FDDDE38E4B7242EFE' -or $_.Thumbprint -eq 'D72F47D87420E3F0F9BDCAC6F03A566743C481B9' }
C:\test> $certs
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
D72F47D87420E3F0F9BDCAC6F03A566743C481B9 E=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, S=California, C=US
75E0ABB6138512271C04F85FDDDE38E4B7242EFE CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
C:\test> $certs |% { Export-Certificate -FilePath "c:\test\certificates\$($_.Thumbprint).cer" -Cert $_ }
Directory: C:\test\certificates
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/5/2020 8:40 PM 1239 D72F47D87420E3F0F9BDCAC6F03A566743C481B9.cer
-a---- 1/5/2020 8:40 PM 958 75E0ABB6138512271C04F85FDDDE38E4B7242EFE.cer
C:\test> docker run test
OK
C:\test>
英文:
So I managed to make it work for https://google.com by following these steps:
- Navigate to https://google.com and check what is the root certificate. It is a certificate with thumbprint
75E0ABB6138512271C04F85FDDDE38E4B7242EFE
- Export the aforementioned certificate as well as the ZScaler root certificate (
D72F47D87420E3F0F9BDCAC6F03A566743C481B9
) to a special directory that will be included in the image underC:\containers
. - Modify the test.ps1 script - see below.
- Modify the Dockerfile script - see below.
test.ps1
Get-ChildItem /certificates | ForEach-Object {
$null = Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root
}
$res = Invoke-WebRequest https://google.com -UseBasicParsing
$res.StatusDescription
Dockerfile
FROM mcr.microsoft.com/windows/servercore:ltsc2019
COPY certificates certificates
WORKDIR /azp
COPY test.ps1 .
CMD powershell .\test.ps1
So, on the host machine I run the following commands:
C:\test> $certs = dir Cert:\LocalMachine\Root |? { $_.Thumbprint -eq '75E0ABB6138512271C04F85FDDDE38E4B7242EFE' -or $_.Thumbprint -eq 'D72F47D87420E3F0F9BDCAC6F03A566743C481B9' }
C:\test> $certs
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
D72F47D87420E3F0F9BDCAC6F03A566743C481B9 E=support@zscaler.com, CN=Zscaler Root CA, OU=Zscaler Inc., O=Zscaler Inc., L=San Jose, S=California, C=US
75E0ABB6138512271C04F85FDDDE38E4B7242EFE CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
C:\test> $certs |% { Export-Certificate -FilePath "c:\test\certificates$($_.Thumbprint).cer" -Cert $_ }
Directory: C:\test\certificates
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/5/2020 8:40 PM 1239 D72F47D87420E3F0F9BDCAC6F03A566743C481B9.cer
-a---- 1/5/2020 8:40 PM 958 75E0ABB6138512271C04F85FDDDE38E4B7242EFE.cer
C:\test> docker run test
OK
C:\test>
答案2
得分: 1
It looks like your container is not able to verify TLS server certificate. Probably CA certificates (maybe they have different technical term in the Windows) are missing in the container.
You can:
-SkipCertificateCheck
(available from PowerShell V6.0+), so TLS cert verification will be skipped - good choice for development, but it will sacrifice security partially- "在容器中挂载 Windows 主机的证书存储" - Docker 论坛
英文:
It looks like your container is not able to verify TLS server certificate. Probably CA certificates (maybe they have different technical term in the Windows) are missing in the container.
You can:
-
-SkipCertificateCheck
(available from PowerShell V6.0+), so TLS cert verification will be skipped - good choice for development, but it will sacrifice security partially -
"mount Windows hosts certificate store in container" - Docker forum
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论