Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL certificate verification fails inside docker container on specific server

Tags:

docker

ssl

I'm running into a strange problem with certificates that I can't figure out how to debug. When I run wget inside of a docker container on one specific server it cannot verify certificates. The same wget works fine on the server machine itself (outside docker) and it works inside that same docker container on different servers.

Here's the setup for the docker container:

docker run --rm -ti debian:jessie bash
apt-get update
apt-get install wget
wget https://google.com

The response is:

converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com' (UTF-8)
--2016-06-22 14:22:02--  https://google.com/
Resolving google.com (google.com)... 216.58.217.142, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|216.58.217.142|:443... connected.
ERROR: The certificate of 'google.com' is not trusted.
ERROR: The certificate of 'google.com' hasn't got a known issuer.
The certificate's owner does not match hostname 'google.com'

Since this same process works on other servers, it seems like the problem could only be some certificate problem on that server itself. But I must be confused: why should the certificates on the server itself have anything to do with what's happening inside of the docker container?

I would really appreciate any insight into this, in particular any debugging steps I can take to understand the problem better.

like image 890
Denise Avatar asked Jun 22 '16 14:06

Denise


2 Answers

It seems that the certificates are out of date inside the jessie image.

try apt-get install ca-certificates before the wget

like image 173
michael_bitard Avatar answered Oct 02 '22 16:10

michael_bitard


Docker uses iptables.

If you have iptable rules set up it's possible to direct EVERY https request to your own running server.

If you are, for example, running jenkins locally and using iptables to redirect 443 to default 8080 port than all your container traffic to port 443 ports will be redirected to that local jenkins server which will be unable to verify your certificate. We ran into this problem when using Jenkins to build our docker images. our jenkins used iptables to get around running jenkins as root.

like image 26
DMart Avatar answered Oct 02 '22 15:10

DMart