|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
本帖最后由 yizhihenanjing 于 2021-9-2 09:47 编辑
/ ^0 A, D ?% c, x0 W% j$ g3 g3 l1 s) M" |: ?
ubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题
5 \. X* p: C% P( m; Q3 q' v5 a+ t$ J! p1 y
问题:
5 V; u1 W. s# ]. _/ o% C- A9 E; x# J: J Z& ]5 q3 c
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问
( R8 }+ F8 ?9 O+ _" T<meta http-equiv="refresh" content="1;URL=index.html">
5 \3 M! P( P; Qroot@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash- w1 O2 _2 s) P3 D, A( o6 E: j
root@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题
8 d! V; x9 Z2 |% t) dcurl: (60) SSL certificate problem: self signed certificate
s. i0 G( u; O2 G/ A+ ^8 y& ]More details here: https://curl.haxx.se/docs/sslcerts.html
+ n' V: Y& p- ?9 L3 O, a...
) `/ |" D! Z$ L6 `2 Croot@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常& r3 B9 q% R. q% H5 g$ C
<!DOCTYPE html><!--STATUS OK--><html>...</html>
& C. J5 ]6 J( m! W9 m: s: J8 lroot@1e398e2637b5:/app#
. ^. U- k$ X) o7 r, U0 Q
; r, [/ x6 N" T5 l: N% W# [) {/ }期望:
5 j9 F: w& b9 M2 P
) n- R0 R! Y) q8 F4 G+ o期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果
- r( [6 x3 y. C: [1 \8 Y+ ]) C
5 T- `& o- h4 Q' }0 N0 r; Y
$ Y4 u' F' j* X8 L% w: e8 C: C7 E* G C) E* Q: w
自己尝试过的问题排查:: I5 \; {: \% V6 z' l
4 ^' L! ?" g: v2 G
1,下载证书并指定证书访问,结果提示证书过期。
3 m: n' J- q7 i# W! i( Y. Q+ _) o3 @
8 I* Q4 L) I1 oroot@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem
6 L) Y8 ]' j5 @3 idepth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI! [6 |4 C o8 {+ U0 W% P- b% c& p
verify error:num=18:self signed certificate' [- T$ z" v& l9 P) H( K! [
verify return:1
' {* G, I6 K1 @6 b! b9 ~& kdepth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI1 d0 s v! @5 i+ ^' l$ E q7 X$ \ r
verify error:num=10:certificate has expired$ q( P7 C. u- p, {, l
notAfter=Dec 19 00:00:00 2016 GMT
# f: \' M4 Y4 P y% Overify return:1; E0 I! Q4 V" E. {
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI+ J0 L# E5 F% ~$ x+ b
notAfter=Dec 19 00:00:00 2016 GMT
& s( J" c7 T5 R2 W$ ^* rverify return:1' D/ P/ ~6 f! O3 K/ U4 n
quit( X) R3 N" U+ E C, A9 _
! v2 ]& ^5 V: b9 S1 i
root@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com/ O7 c6 _9 V& |, t: T2 [, y% v# \
curl: (60) SSL certificate problem: certificate has expired
& ] K& O D/ J5 k' AMore details here: https://curl.haxx.se/docs/sslcerts.html# Z( M& O0 t# O9 p! @3 T' i- ?
4 ?& x( m+ O# l" [' X
" q4 \ G, V4 }0 f2 z
2 ]- K% I% {# H6 B2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired& J1 Y9 G% s; ~9 D; e( I# S% B; g
4 ?( {; T, E1 y+ x% y R
3 @! y, p, e" {; f, k
/ u/ d# Q, K( O, W& [/ j- i' ]1 K# nroot@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内6 _* E$ n2 P, [% `& u( Q
* Trying 104.233.229.10...
. D/ M, O' S$ T, v# {* TCP_NODELAY set1 p4 i! ?7 Y7 V; J8 g
* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0)# j# G7 Z$ D* G$ T" d( s* ` o
* ALPN, offering h2/ J: \' I5 j% Y
* ALPN, offering http/1.1
8 S/ \* D5 ]. V, ^0 x* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4: @STRENGTH0 w/ T- j; U7 g$ z5 Z# K
* successfully set certificate verify locations:
) I# h; i3 T0 K9 S* CAfile: /etc/ssl/certs/ca-certificates.crt# A5 x% O) I s6 O* w! n
CApath: /etc/ssl/certs
: @& i" k r/ [3 U* F* TLSv1.2 (OUT), TLS header, Certificate Status (22):
p0 k& k T9 A7 u5 r+ W, @+ g: }* TLSv1.2 (OUT), TLS handshake, Client hello (1):
2 G7 T0 V" B- `9 ~' r: L8 _1 ]3 n* TLSv1.0 (IN), TLS handshake, Server hello (2):
% N; c$ V6 {: N6 i* TLSv1.0 (IN), TLS handshake, Certificate (11):
6 P1 g2 f c* e* TLSv1.0 (OUT), TLS alert, Server hello (2):
, |5 v+ H6 h1 S% P* SSL certificate problem: self signed certificate
, m( I! Y1 ]8 ]8 S8 t) _/ l* Curl_http_done: called premature == 10 T/ `. @* \; p6 ]
* stopped the pause stream!- b+ c9 I/ l6 X# ^( O
* Closing connection 0
5 f Z J- ^1 c+ ?& m; Jcurl: (60) SSL certificate problem: self signed certificate m9 i1 f+ s8 p" s, Z. _" w( {
More details here: https://curl.haxx.se/docs/sslcerts.html, v0 m! W: ]7 P: \
! [; B" P) B) h: B! ]
root@1e398e2637b5:/app# exit //退出容器
. L9 ~+ U# X9 F" B w" ]$ t- @: v( O9 o% o
root@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内
1 i' E. M, |" {* Trying 156.238.183.80...
. T+ u I$ \% ]. q* TCP_NODELAY set
l) F, _/ t2 E- f c3 z; s3 t- m* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)* J! X6 k' c* e1 h
* ALPN, offering h27 r$ ]' x3 O9 Y& n+ S
* ALPN, offering http/1.1
, y3 E& d8 D& i& b* successfully set certificate verify locations:
2 `& v9 s" r+ d4 S1 `* CAfile: /etc/ssl/certs/ca-certificates.crt% I" ?! Q' ?4 ^; [( K2 e
CApath: /etc/ssl/certs
5 g( [: x4 Q4 e1 f# A+ D/ [7 A2 K, F9 `* TLSv1.3 (OUT), TLS handshake, Client hello (1):
0 ^! }+ F8 X; |' q- }6 p* TLSv1.3 (IN), TLS handshake, Server hello (2):) v8 P1 ^* r. M. B+ m4 F, R
* TLSv1.2 (IN), TLS handshake, Certificate (11):0 Z0 C" f9 p4 o0 K; ]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
9 V3 L5 X4 ~9 D0 C0 F: y z3 ^* TLSv1.2 (IN), TLS handshake, Server finished (14):
9 i" I8 } b) ]5 }* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
' s; |/ z0 F$ L! }* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
+ X7 O8 J3 U( E+ c: ^* TLSv1.2 (OUT), TLS handshake, Finished (20):
! {% s" J5 e& p; S* TLSv1.2 (IN), TLS handshake, Finished (20):3 y* W) P5 M! @* A. P0 U. f4 A
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
- m* [$ `, S# @1 K9 s2 u1 ?* ALPN, server accepted to use http/1.1' E" O: I W7 d. c+ h( o4 z* O) k
* Server certificate:
* D. r, h7 A& G2 }* subject: CN=www.ygdy8.com
' i n! j* \; V' e* start date: Nov 3 00:00:00 2019 GMT$ r9 H( H! A5 j* D# r0 K$ Z# L
* expire date: Nov 2 12:00:00 2020 GMT( C. o$ F @. c
* subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com"4 r2 A) y/ f- Q5 @& q0 @6 L5 j7 n
* issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA
$ t- ], [( o7 ^, z% Y* SSL certificate verify ok.
# b' j7 m) h0 J4 S& b7 P" y2 s$ t> GET / HTTP/1.1
; U4 U1 ~( n2 n) @% x8 `> Host: www.ygdy8.com
8 w: Y! o( F2 t/ d( f2 N> User-Agent: curl/7.58.0
; ^ Z$ h! u* Q% t> Accept: */*: ^; S$ T# g/ K
> t, w% S* }$ J+ G
< HTTP/1.1 200 OK* t4 U0 }, r2 \
< Content-Type: text/html. Y: t/ z F8 v
< Content-Location: https://www.ygdy8.com/index.htm5 H0 k2 J& `& T3 t+ q2 W7 C% K+ g1 y
< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT, ], p" o, d& p! {- |
< Accept-Ranges: bytes& Q7 j. ?9 n; ]6 t- r
< ETag: "806afc26ca0d51:802"
5 ^4 m+ U( b3 ]+ p& ]< Server: Microsoft-IIS/6.0
/ F0 K+ G- \* c6 T* Y< Date: Wed, 04 Dec 2019 06:53:23 GMT& {3 s1 L6 e1 O) D
< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9)
: v5 ^4 j! ~& e. V< Content-Length: 56
' _7 B) Y! f% z: y& X< Connection: close* m8 l! K9 \5 x4 F* t9 j
<' o! Q# i; Y4 n) j6 ?
<meta http-equiv="refresh" content="1;URL=index.html">
/ v) `; F5 s' F* Closing connection 0
y! y. I8 b2 O+ o* TLSv1.2 (OUT), TLS alert, Client hello (1):
% K# r5 \, z5 z( Z' zroot@qyi-58abe6739f7ae:~#
R5 Z5 x: K) |$ J$ z- _# g- f5 k% d- o
( K- w/ F+ j5 l( Y9 q, q3 R6 u7 ^* e# H7 F7 F7 N4 [' F7 v! `8 p0 l# f1 F! A
3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。 |
|
/1 
发表于 2021-9-2 09:46
收藏
淘帖
支持!
反对!