我有一个 Ubuntu 18.04 服务器
在 企业代理
后面。
我设置了 http_proxy
和 https_proxy
环境变量。
服务器正在运行 Docker 19.03
,它也配置为使用 http_proxy 和 https_poxy。
如果在容器内运行 docker run -it ubuntu:18.04
,我可以执行 apt update
和 apt install curl -y
然后我可以做类似 curl www.google.com
的事情。
但它不适用于 https
:
root@1b6abfb4ff90:/# curl -v -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 10.30.88.14...
* TCP_NODELAY set
* Connected to xxx (10.30.88.14) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to raw.githubusercontent.com:443
> CONNECT raw.githubusercontent.com:443 HTTP/1.1
> Host: raw.githubusercontent.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connected
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CONNECT phase completed!
* CONNECT phase completed!
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [91 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2741 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl 未能验证服务器的合法性,因此无法 与其建立安全连接。要了解有关此情况的更多信息和 如何解决,请访问上述网页。
在容器外,它工作正常。我还在另一台不在代理后面并且在容器内工作的服务器上进行了完全相同的尝试。
所以我想这是docker deamon的配置问题。或者也许我错了...... 解决方案是什么?
最佳答案
您需要将 SSL 证书安装到 Ubuntu 容器中。例如,在正在运行的实例上,您可以执行以下操作:
apt-get update
apt-get install ca-certificates
然后,您的所有 HTTPs 连接都可以使用 CA 根证书的本地副本进行验证。
对于生产部署,此命令应在 Dockerfile 中:
RUN \
apt-get update && \
apt-get install ca-certificates && \
apt-get clean
编辑
您的代理可能有不受信任的证书。您可以将它添加到包中,或者告诉 curl
不要使用 curl --proxy-insecure
检查代理的证书。
来自 https://curl.se/docs/sslcerts.html :
Since version 7.52.0, curl can do HTTPS to the proxy separately from the connection to the server. This TLS connection is handled separately from the server connection so instead of --insecure and --cacert to control the certificate verification, you use --proxy-insecure and --proxy-cacert. With these options, you make sure that the TLS connection and the trust of the proxy can be kept totally separate from the TLS connection to the server.
关于docker - docker 容器中的 curl 证书失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58338266/