|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
本帖最后由 yizhihenanjing 于 2021-9-2 09:47 编辑 / t2 Y8 K- k% H; t* d9 }# r1 M
- B4 S; o7 ^* @9 rubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题
" h- v. g% [' M$ Q: ~
4 Z! k& C1 ^0 D问题:
' W, e$ `7 B3 [+ y5 z( `' I) S$ R$ X$ {. w: e7 ~7 r$ m: G
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问
% S" f/ T0 m0 R7 V4 v) n8 \% v<meta http-equiv="refresh" content="1;URL=index.html">2 @/ d% h2 _8 u
root@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash' h$ c- Z5 @% @+ s
root@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题
; @9 p- M2 {- {2 R8 }8 Ucurl: (60) SSL certificate problem: self signed certificate3 X6 I) a0 Q; s- V# s" S
More details here: https://curl.haxx.se/docs/sslcerts.html0 Y% M" j3 S6 G4 S0 _- c: y
...' u9 K' h2 s: `, M
root@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常3 K6 B3 K3 D* T/ R& Y' a
<!DOCTYPE html><!--STATUS OK--><html>...</html>! \2 m; m% C9 L$ w# H
root@1e398e2637b5:/app#4 i; B7 Z& n6 t
/ r- r7 |; f9 V
期望:4 c4 g: v* E% E1 ^' n, ~* U
' R2 r" _7 }4 _' z8 A) C1 K- A
期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果$ ^$ u2 p* z4 `9 R9 G7 _
' G. T. y) J# z) @. A( Z
. ]" z) n3 n3 s4 Q6 A, j/ X0 d- b& H i9 t$ \
自己尝试过的问题排查:1 ^& h7 h. f* q$ l
" o+ f: D% i7 d; Z
1,下载证书并指定证书访问,结果提示证书过期。
+ W o+ G! ^) l4 K+ I. d
6 {4 d2 c S1 q7 @# Groot@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem& T5 d# I3 ^# D }
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
. @: f6 F3 S" N. t: U! {) V9 tverify error:num=18:self signed certificate4 S T# G: ^. L0 {: u) d3 Q
verify return:1" p: x6 ~3 o$ ^& p4 A: L" }
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
+ r- D1 T( E2 G2 o4 P3 V4 r+ U( Xverify error:num=10:certificate has expired
% C% I3 ?2 k5 K( J- L/ anotAfter=Dec 19 00:00:00 2016 GMT
: \: o8 t8 N" ~2 Y1 jverify return:1 v& B+ w' g: j
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
1 |$ o& N) P2 ~# L5 y2 f, p, onotAfter=Dec 19 00:00:00 2016 GMT. t' K' G- s6 t% i) I; R$ P
verify return:1
; ?- \5 i1 w: hquit
$ {: B7 v: Q( n0 y1 R' [, g1 l
% j2 Y% r* f, ~* b2 _ hroot@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com
8 S# X/ ? A; W" S2 Vcurl: (60) SSL certificate problem: certificate has expired
: _3 w+ d4 w% o1 j0 r9 g( C* @More details here: https://curl.haxx.se/docs/sslcerts.html
( B" N0 r. N2 `8 B0 r
) ]# i# d+ M8 ^. A O0 r; `# X" _4 B# d- u; k7 N; i0 y
' z* v1 E! [8 |; {( S2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired( ^1 g! y" k' \ z' c0 L, s
$ x A. O; t& t( P9 ?, `: y2 D. }% q( t5 F
' r* W+ J: _1 T, Y1 A% {0 c, y* B
root@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内
2 \1 B! B1 r/ l9 L( t* Trying 104.233.229.10...& ]! N. y& [& M2 `
* TCP_NODELAY set. B. w. m1 Y* `* G# D( Z
* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0)
$ ^$ o3 f+ _3 i7 Y$ s* y* ALPN, offering h2
# I2 c j# o3 S8 C5 i* ALPN, offering http/1.1
, [$ Q$ v" K E5 s4 m* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4: @STRENGTH
* }- R( R. s8 I! r& S( |. N6 O: c! x* successfully set certificate verify locations:
+ G7 ?* C9 ]% Z2 C* CAfile: /etc/ssl/certs/ca-certificates.crt; t1 N. R1 O8 O- [2 b
CApath: /etc/ssl/certs
3 j: M% Y* p' h* TLSv1.2 (OUT), TLS header, Certificate Status (22):
( ^) g* X9 t. i, Z. Q" j' K* TLSv1.2 (OUT), TLS handshake, Client hello (1):" Y( ?& P" p1 _% ~+ @6 r
* TLSv1.0 (IN), TLS handshake, Server hello (2):! c9 u- J T, z6 m6 @% \
* TLSv1.0 (IN), TLS handshake, Certificate (11):
$ F- C5 W" E$ P) Q8 R' p& n* TLSv1.0 (OUT), TLS alert, Server hello (2):5 e/ A: W# y) R7 I9 ?; P
* SSL certificate problem: self signed certificate
; t! C- G8 k1 @1 n7 g5 D* Curl_http_done: called premature == 1# F y: l9 h1 a: N/ q7 C
* stopped the pause stream!) m9 E; T% l9 n0 }
* Closing connection 0" Z( ?: a2 M7 P" |
curl: (60) SSL certificate problem: self signed certificate# c' t8 N9 X# |6 Q$ m
More details here: https://curl.haxx.se/docs/sslcerts.html
2 t$ Z: Z* |6 m3 \; E9 B
% r/ T+ @* \& w) _3 O, A3 Broot@1e398e2637b5:/app# exit //退出容器" M: O* L, s1 E K# J' X2 r# E
$ N' X. g1 I. Q
root@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内
' b N. b8 X: W- d* Trying 156.238.183.80...4 ^) Q. `0 }% g( W X" R
* TCP_NODELAY set
, N! V6 n4 x4 d; z6 T7 ^8 p2 j* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)
5 E7 ~: r& ?: Q9 o) C, j4 |- j* ALPN, offering h2
2 o' H( {* j* G# ], `. o# F* ALPN, offering http/1.1
( @! S2 [7 q; ^' I# W/ u7 v* successfully set certificate verify locations:7 A, a2 _/ d# Q8 B7 o8 E
* CAfile: /etc/ssl/certs/ca-certificates.crt
7 x, C% ]9 G1 P5 J$ M CApath: /etc/ssl/certs& l* n" l; m! [8 |
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
, a. K" I% c/ J, Q; g* TLSv1.3 (IN), TLS handshake, Server hello (2):. O4 z# V5 t6 g6 T& G
* TLSv1.2 (IN), TLS handshake, Certificate (11):
1 F- N- c/ a( ^/ ?* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- B8 S( ~* E4 ~5 }' J! U$ q+ h# l/ [2 b* TLSv1.2 (IN), TLS handshake, Server finished (14):$ v5 A) Q5 _* u5 Y# s1 a
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
8 \$ Q' Y' c! f. W* TLSv1.2 (OUT), TLS change cipher, Client hello (1):( k& x( Q: B$ f# f2 R( L6 o
* TLSv1.2 (OUT), TLS handshake, Finished (20):
7 V, v$ e3 q) p4 c: N3 l( i* TLSv1.2 (IN), TLS handshake, Finished (20):
# j$ Q% \9 E1 {( S* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
" e) l' E) _( s, M% {* ALPN, server accepted to use http/1.1 x" e8 g% s }3 A9 Y8 [
* Server certificate:2 H. h7 Q- D" h3 u3 q! @5 h
* subject: CN=www.ygdy8.com" u$ u+ |" a" K q$ f" D" J
* start date: Nov 3 00:00:00 2019 GMT
* N" x1 r0 R+ V4 R; F* expire date: Nov 2 12:00:00 2020 GMT
9 [) g0 W a5 J$ U, |* subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com") P' p4 G$ f% r; a/ O
* issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA
- ]8 q8 U5 b6 C. c; g* SSL certificate verify ok.0 e0 o9 f: R4 Q
> GET / HTTP/1.1- {+ y7 k5 W9 \0 m( u: p
> Host: www.ygdy8.com" j! H0 C) U- |6 _; N3 r
> User-Agent: curl/7.58.0: }) Z' W& S( ?# q' R" [9 _; o
> Accept: */*
) ]0 U( d, n% J! `5 C$ ^" T% }>
* h" |$ ~0 q8 D) \3 U2 u/ A! A/ z' s< HTTP/1.1 200 OK
4 G0 S3 B2 n) f; d: h< Content-Type: text/html
9 P" R, t. a) F# s$ K' l. |: t$ y* X< Content-Location: https://www.ygdy8.com/index.htm; O0 B) v; g8 s
< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT
& ?( c# e* {6 i! _0 P0 ^< Accept-Ranges: bytes0 W4 S/ }, H6 b" N6 B" x: C
< ETag: "806afc26ca0d51:802": ~2 x3 }% v1 v8 d" x* S
< Server: Microsoft-IIS/6.0
6 e+ `0 Q5 t1 n3 F4 A0 s< Date: Wed, 04 Dec 2019 06:53:23 GMT
1 B( i I6 O, j< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9)7 w3 s R/ r5 b# ^. i" a0 G) K6 }/ p
< Content-Length: 56
& {6 E& }- w- e, e) E j, L" {< Connection: close# r2 e6 G* s5 J8 Z4 e& v R; q
<
* i+ {8 Q0 A- k" O; v, N% V<meta http-equiv="refresh" content="1;URL=index.html">
5 y b6 m) \: a( |$ D* Closing connection 03 I% k. m! r5 ]
* TLSv1.2 (OUT), TLS alert, Client hello (1):
, x1 ~" y6 F) S1 Yroot@qyi-58abe6739f7ae:~#
+ W k" L O1 @9 l
# J% {8 }' W) V6 \/ s6 j ( }1 r4 R1 T9 M2 w+ K
( I- E1 t# u" S! Z3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。 |
|
/1 
发表于 2021-9-2 09:46
收藏
淘帖
支持!
反对!