|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
本帖最后由 yizhihenanjing 于 2021-9-2 09:47 编辑
: w) A$ ]! V* ^1 O: M: L8 I* Y2 l& k8 d( j( T) s3 C
ubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题
8 B, J0 Q ^, u% k1 p+ e: b5 X( B+ Z
问题:
* N% N1 A H* P) Y6 x. M0 f% v( {3 p# S0 ?
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问
4 @2 B+ `9 ~! d( j& ^/ P6 N<meta http-equiv="refresh" content="1;URL=index.html">( `" S. T& m0 h( u
root@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash: p/ e0 e4 M9 ]4 i: O
root@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题
; s" P3 Z) V1 F$ K! V/ gcurl: (60) SSL certificate problem: self signed certificate3 x# f+ F! ?% q
More details here: https://curl.haxx.se/docs/sslcerts.html- g+ s9 h' u+ a* K5 Y+ K6 m$ A1 C
...
+ N# R2 C* o* qroot@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常- S) b4 m$ a5 e6 j* E
<!DOCTYPE html><!--STATUS OK--><html>...</html>
( c9 m, Z( C, a9 y* Aroot@1e398e2637b5:/app#- M2 i3 k( ?$ _$ j5 W
: e& m- Y3 ^- @2 `
期望:' r }" G, M. v n) t
' H) c* G) K3 c# T3 k. R% Z F期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果
5 C6 }$ Z( c2 f+ l7 ^& R& c7 K2 q. a, W( J
0 X. R3 R/ K* [/ W; B
: [; S5 o( N, H& C' R* r自己尝试过的问题排查:
/ l% c8 q/ ?) _2 e8 A
A& ~. B- r, E5 C9 w1,下载证书并指定证书访问,结果提示证书过期。0 z [2 r M3 I* ]4 G
6 o$ ]) K% k& {- i9 Qroot@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem
7 Z5 R& V5 q6 |! C# X2 jdepth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI2 U2 f; s+ d/ i( [
verify error:num=18:self signed certificate$ {7 y) g/ `# e. g8 m
verify return:13 O3 N/ o; ~4 V. b- U/ K
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
. h, E3 X* y0 p- h6 Sverify error:num=10:certificate has expired' \- s2 D$ j) n9 {" h1 ?( D
notAfter=Dec 19 00:00:00 2016 GMT3 F! }& F- E' r* X! \
verify return:17 D& z8 R9 e$ B. c' e
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
3 u7 D$ ^. k/ ^' J; o& Z) VnotAfter=Dec 19 00:00:00 2016 GMT
, y) k$ y# E* b: S) h0 gverify return:1
8 O" G* M- p3 A8 A5 squit
$ T$ X$ {. q" A; @
6 r! C, c: z5 L4 yroot@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com
" v% k" L3 V: t& z b1 rcurl: (60) SSL certificate problem: certificate has expired
6 X: @, x& g; c& _; P! c9 kMore details here: https://curl.haxx.se/docs/sslcerts.html
1 U j- K/ W$ Q( E' ]1 D
; A* Y/ O9 i) N. A0 ^& j8 T8 J: ~, {7 u- g7 u
2 v5 F6 l) D6 _: ^2 ~) d$ j7 ]0 x2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired6 h4 J! ~3 X3 t( [3 d% W
7 |1 ~) ]9 i# C& w5 y
: w: N3 f0 S8 {) c: M1 ^9 K3 F( o9 a# C3 ^3 d
root@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内7 M7 i5 ^" \8 N: i+ V3 z. R
* Trying 104.233.229.10...
8 `! X( r8 I" \, x, ?' J' z$ d* x* TCP_NODELAY set) u7 s% z* R( G) l: I2 ^4 H* s$ Q, Y, E
* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0)
. g% y& p1 j, l [0 N# ~' `( `* ALPN, offering h25 R) F/ s) p- _% G% ^4 B
* ALPN, offering http/1.1* u% e! l" z2 }9 |$ t/ d' D/ r0 t, I
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4: @STRENGTH; f1 R) R' W6 s9 l
* successfully set certificate verify locations:
7 y. e) r: u a5 x) x1 R* CAfile: /etc/ssl/certs/ca-certificates.crt
0 d; H0 E# r* _ CApath: /etc/ssl/certs
5 T2 o, y, x' s$ I* TLSv1.2 (OUT), TLS header, Certificate Status (22):
( `+ f6 S0 m H6 l6 w# {) o* TLSv1.2 (OUT), TLS handshake, Client hello (1):4 p, t$ m# ]7 C, c" Q8 n
* TLSv1.0 (IN), TLS handshake, Server hello (2):# b4 q6 E* _3 H4 `
* TLSv1.0 (IN), TLS handshake, Certificate (11):, _+ }/ }6 w+ M* \ F
* TLSv1.0 (OUT), TLS alert, Server hello (2):, o$ M3 {, b+ F8 d6 u, o
* SSL certificate problem: self signed certificate4 {* L( [4 y1 |9 U/ Q$ W+ _
* Curl_http_done: called premature == 1
: S* y7 Z; O0 m6 N. |) t- N* stopped the pause stream!0 B Z- a# A* k& _+ E# o( u
* Closing connection 00 [! @& I7 c, D" U& K4 E
curl: (60) SSL certificate problem: self signed certificate+ l: }4 \8 ~ |3 c
More details here: https://curl.haxx.se/docs/sslcerts.html% L9 B% {$ ]' {/ Y: X6 z; q
$ h7 T" \, u$ W0 i
root@1e398e2637b5:/app# exit //退出容器/ e$ A' l( L2 ]
: e# I0 d' D4 T% {* q0 k
root@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内
5 X* N( K6 e. v6 T# B- f4 K2 [* Trying 156.238.183.80...
; H" b( J# y/ J- n$ ]" P2 A+ e* TCP_NODELAY set
0 w% _! `8 ?0 `# l1 A" p2 E5 c& @* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)
* q2 w/ c& f& ]! _0 K7 p4 a5 Z* ALPN, offering h2 J1 c# H, z' H$ r. D' O) X h
* ALPN, offering http/1.1
1 z& c4 h& O7 ^/ v% F* successfully set certificate verify locations:
4 u( P1 ^. q9 Z* CAfile: /etc/ssl/certs/ca-certificates.crt
' V' O1 v6 g& G CApath: /etc/ssl/certs
6 f/ R% I8 R% T* TLSv1.3 (OUT), TLS handshake, Client hello (1):2 P6 ^# L& f- E# Y- x6 ?7 H
* TLSv1.3 (IN), TLS handshake, Server hello (2):
$ F& m; @/ o5 g" I5 {5 Z* TLSv1.2 (IN), TLS handshake, Certificate (11):$ t3 J& ]1 Y7 g& k+ g
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
) q: t' V: h n+ n0 i9 |! N* TLSv1.2 (IN), TLS handshake, Server finished (14):
3 [) n3 m5 f6 G& E0 S* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
4 u$ Q% N4 g! |. z* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
% A$ W+ n) W/ ]: }' _, ^. q* TLSv1.2 (OUT), TLS handshake, Finished (20):2 K }7 i; N' Y( [) z& c
* TLSv1.2 (IN), TLS handshake, Finished (20):
1 L8 r# S5 m, R* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256( S. i, ^+ I( x/ S( s/ |6 H* q
* ALPN, server accepted to use http/1.1! Y, n( K) O, Q4 l
* Server certificate:
" u: |+ X* \2 a! B! J* subject: CN=www.ygdy8.com) `% F7 z0 g$ W$ T
* start date: Nov 3 00:00:00 2019 GMT8 L& C, e; v7 G2 q1 n* b
* expire date: Nov 2 12:00:00 2020 GMT) _8 f2 V$ S- v0 K$ _4 `" \" w
* subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com"
% `4 Y! M" I6 [& f; w* issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA
3 P' v1 C9 E. y; X. i" P; ^3 n" Q* SSL certificate verify ok.
/ t( L2 n5 O: K1 k! d: F> GET / HTTP/1.1# o9 H0 P2 p* C2 e9 l; F
> Host: www.ygdy8.com
/ C5 G6 ]2 }0 S8 n% `! @' Q> User-Agent: curl/7.58.0
" \7 E# ~1 u. U% d& j> Accept: */*
- V3 J5 _4 Y6 E% C- O>
- _8 p2 n. `1 h9 X1 K* m< HTTP/1.1 200 OK/ s R5 z X0 c7 p
< Content-Type: text/html
# }' ^4 D$ Y) ~* j5 G: }< Content-Location: https://www.ygdy8.com/index.htm' a) K# w4 j) F# T
< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT: \& x" i- f: y+ E
< Accept-Ranges: bytes
% k& D3 f/ p2 P8 }< ETag: "806afc26ca0d51:802"
/ n4 X/ ? {& g* \4 L5 }" o, S< Server: Microsoft-IIS/6.0
; ^' w6 |8 A8 @< Date: Wed, 04 Dec 2019 06:53:23 GMT$ n" w7 ?# p4 W4 D+ T
< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9) h |" Z/ J/ P, `
< Content-Length: 56% [; A4 X; i7 ?* U* k
< Connection: close
( }; N1 I- t3 m& v5 b4 H1 z<
2 S" e/ F7 K0 l( I<meta http-equiv="refresh" content="1;URL=index.html">
& |* q- e# L9 Z3 O* Closing connection 0
) k, X' R8 n2 K* TLSv1.2 (OUT), TLS alert, Client hello (1):7 _; }; l6 T7 [4 N; `4 z5 q
root@qyi-58abe6739f7ae:~#
' t. D8 p6 E. n
6 L. b7 a* [5 y" U& ?& @+ @ * e3 }- a" g2 d
$ l/ K1 r! D# R2 W, N2 Y1 Y# H
3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。 |
|
/1 
发表于 2021-9-2 09:46
收藏
淘帖
支持!
反对!