Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL certificate verification fails inside docker container on specific server

Tags:

docker

ssl

I'm running into a strange problem with certificates that I can't figure out how to debug. When I run wget inside of a docker container on one specific server it cannot verify certificates. The same wget works fine on the server machine itself (outside docker) and it works inside that same docker container on different servers.

Here's the setup for the docker container:

docker run --rm -ti debian:jessie bash
apt-get update
apt-get install wget
wget https://google.com

The response is:

converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com' (UTF-8)
--2016-06-22 14:22:02--  https://google.com/
Resolving google.com (google.com)... 216.58.217.142, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|216.58.217.142|:443... connected.
ERROR: The certificate of 'google.com' is not trusted.
ERROR: The certificate of 'google.com' hasn't got a known issuer.
The certificate's owner does not match hostname 'google.com'

Since this same process works on other servers, it seems like the problem could only be some certificate problem on that server itself. But I must be confused: why should the certificates on the server itself have anything to do with what's happening inside of the docker container?

I would really appreciate any insight into this, in particular any debugging steps I can take to understand the problem better.

like image 890
Denise Avatar asked Jun 22 '16 14:06

Denise

2 Answers

It seems that the certificates are out of date inside the jessie image.

try apt-get install ca-certificates before the wget

like image 173
michael_bitard Avatar answered Oct 02 '22 16:10

michael_bitard

Docker uses iptables.

If you have iptable rules set up it's possible to direct EVERY https request to your own running server.

If you are, for example, running jenkins locally and using iptables to redirect 443 to default 8080 port than all your container traffic to port 443 ports will be redirected to that local jenkins server which will be unable to verify your certificate. We ran into this problem when using Jenkins to build our docker images. our jenkins used iptables to get around running jenkins as root.

like image 26
DMart Avatar answered Oct 02 '22 15:10

DMart
Sign in to Comment

Related questions

See server name according to SSL certificates
"Could not create SSL/TLS secure channel" Azure Storage .NET API error since POODLE
Why are SSL/TLS certificates self-signed if they have no real signature/CA?
Amazon widget and SSL
Redirect HTTP to HTTPS for one page
HTTP error code 505
Selecting SSL_VERIFY_NONE for SSL_verify_mode
SSL_CTX_use_PrivateKey_file() failed
Unable to access Github through Browser or Console due to SSL certificate issue
Mixed Content error when accessing WebSocket server hosted in a different port
error: OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 10054 [duplicate]
How do you set up encrypted mosquitto broker like a webpage which has https?
Socket.io client in android connection with HTTPS protocol failed?
Change webroot-path of registered letsencrypt cert
How do I figure out which parts of a web page are encrypted and which aren't?
How to force the use of SSL for some URL of my Django Application?
SSLSocket ignores domain mismatch
Enable SSL on GitLab with Docker on Synology NAS
SSL Error in nodejs
Self-signed SSL connection using PyMongo

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!