|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
本帖最后由 yizhihenanjing 于 2021-9-2 09:47 编辑
- F5 j# P* l& z5 G! o3 u+ C* O) O! o: B! c- ?, }% V3 b# t
ubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题
- j* G! R, A8 ^: Y3 V
* e5 {) S3 ]+ _3 B问题:
5 O$ i. e) E6 X& j8 S) D- y1 s" k: ] _
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问
: [. {, @! E0 }9 B6 H( W3 T' E<meta http-equiv="refresh" content="1;URL=index.html">- t) D8 s H9 z$ }+ F
root@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash! P" ?3 F% f6 q- F3 B* p3 c
root@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题
* R" X6 p" R) M% c+ P* f; Qcurl: (60) SSL certificate problem: self signed certificate
' K: j3 e- a4 XMore details here: https://curl.haxx.se/docs/sslcerts.html
1 i2 J; `$ J/ `0 U...
2 ?0 t2 J* N5 |5 ^root@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常# q1 J; e$ M: G* \) |' M' M
<!DOCTYPE html><!--STATUS OK--><html>...</html>' {- u& K9 d; y' @
root@1e398e2637b5:/app#' r" r0 z) \; Q9 {7 b2 ?* T# m
4 v. w2 O9 [0 G6 g' U: A
期望:' `; x i# |1 D/ k) \
8 `" n& Q$ n+ ]% n期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果
* ]7 w* K, t- g
8 L+ ]) ~( a) R. I7 ]6 I 7 H) g( ]' o7 X! c7 W) x
1 S2 M8 n) k3 _( B9 J/ M# u自己尝试过的问题排查:9 u }0 D% T. \) D+ i m5 N% n% K. k
+ Z9 W* |/ ~- h& @; Q5 B$ b% {
1,下载证书并指定证书访问,结果提示证书过期。+ a) d6 [8 x# S7 D7 x
3 ?# Q/ V6 T/ d- o8 ]
root@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem" W- {& u+ a! H
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI$ A+ G$ g% C7 }( R" z' H6 ^
verify error:num=18:self signed certificate- }' }. W. s# E
verify return:10 i/ H1 q/ u' j% A% J5 I; L4 s1 u
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI& a* l$ @9 @+ }: L' v
verify error:num=10:certificate has expired
7 }0 f# K& H# q+ @notAfter=Dec 19 00:00:00 2016 GMT
" c8 z$ `) p% [verify return:1$ p7 ~2 d- P: u6 s
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI, w. b F+ t7 w
notAfter=Dec 19 00:00:00 2016 GMT' t: m- g( d3 k6 M9 N
verify return:1
2 e: x, M9 I7 X @quit
0 ~; S5 L" R2 s* I
. b) l" A2 r0 z! n mroot@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com
+ r2 j2 A$ H+ l0 \7 E8 O0 X T* n) zcurl: (60) SSL certificate problem: certificate has expired% s$ f3 d& B$ g9 W0 o# M$ F7 q
More details here: https://curl.haxx.se/docs/sslcerts.html
# [4 K( |: |- ]
' e% Y3 c8 _/ g% y7 p9 p5 F6 l7 \) F7 }
k5 w- B" J4 J5 A' Z
2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired
7 `5 m% T0 u! V s" I
1 X& R8 [) J4 v# |0 Y+ Y8 Y* x# U- ]% @$ n A, M: m8 Q
/ C; Y7 v) Y1 C' y7 b3 X
root@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内* `# N# B, R, V; H7 }
* Trying 104.233.229.10...
5 A- i0 ^9 z/ t, d* ~0 d- e$ j* TCP_NODELAY set8 }& g" j7 s \/ i
* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0) \# ^8 i2 B$ I2 ^: b8 H
* ALPN, offering h2( T6 u& H. X2 w6 d
* ALPN, offering http/1.1( b3 C) l3 M* D* Q5 ~, e
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4: @STRENGTH
1 Z' {7 L( R. j5 W* successfully set certificate verify locations:
2 P+ @ ?, e+ E3 J* CAfile: /etc/ssl/certs/ca-certificates.crt. l+ I y% {* B& t
CApath: /etc/ssl/certs
* Z5 k7 u3 D5 \1 N$ w; ^% Q* TLSv1.2 (OUT), TLS header, Certificate Status (22):: N6 Z' S' Q: l% K/ l
* TLSv1.2 (OUT), TLS handshake, Client hello (1):- w) S! A4 |7 p3 }
* TLSv1.0 (IN), TLS handshake, Server hello (2):' Z4 P( U( o- i4 E; j+ W9 p2 n
* TLSv1.0 (IN), TLS handshake, Certificate (11):
. V% [, A; R5 ]9 G, g9 _0 y O* TLSv1.0 (OUT), TLS alert, Server hello (2):" i5 o6 D2 E$ x3 X3 T( }6 G
* SSL certificate problem: self signed certificate
! J) F0 ~. x0 `6 z" E* Curl_http_done: called premature == 1
3 ]' a) O. G! U N8 C ] t* stopped the pause stream!- ?( V7 K/ i7 c
* Closing connection 0
$ p: A% p1 f8 F, e" i8 \1 c. H Vcurl: (60) SSL certificate problem: self signed certificate
( V! @" o; a8 E6 H( Q# R& QMore details here: https://curl.haxx.se/docs/sslcerts.html# ]6 N. V, q" X& x" F" ]
* h, C: I* t1 r# Uroot@1e398e2637b5:/app# exit //退出容器
1 j, @4 n7 S5 a! E- p9 F) Q. r0 c+ E' z4 z$ Y
root@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内: e& F* }7 V2 T- u6 _( X
* Trying 156.238.183.80...
3 a! `. r' L$ g6 \* TCP_NODELAY set
( ~! T% f1 n* _) V4 h* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)
5 O+ C4 n+ W! G; h2 W7 Q1 S; R* ALPN, offering h2& k5 ~) A) |; V- p& U) @5 }" e# Z
* ALPN, offering http/1.1
( i7 w2 [/ L' o1 p* successfully set certificate verify locations:. _3 ]2 D; R% }
* CAfile: /etc/ssl/certs/ca-certificates.crt
0 u6 v3 a' D$ Y; \ CApath: /etc/ssl/certs
5 ]3 |/ N" b& E% n3 P% a/ c, g- N* TLSv1.3 (OUT), TLS handshake, Client hello (1):
- K: c2 }6 B0 s1 z7 c0 g/ n* TLSv1.3 (IN), TLS handshake, Server hello (2):
& g) L0 F ~, M% M$ Y* TLSv1.2 (IN), TLS handshake, Certificate (11):( q4 {; M8 F" H% Q
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
0 Z9 Y! J2 ~& W- }! S* h* TLSv1.2 (IN), TLS handshake, Server finished (14):
5 w' L! z! c* y0 ]* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):2 p8 y _% X5 c( T
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
; w" G+ ?- k" U* TLSv1.2 (OUT), TLS handshake, Finished (20):- o+ `, c% o0 m3 c7 P: t+ s
* TLSv1.2 (IN), TLS handshake, Finished (20):9 E: q3 l, h* [5 e2 k$ Q" ?
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
' s7 f! f8 C! e" i u7 n5 ]) n2 G* ALPN, server accepted to use http/1.1. Y; C1 y- ^5 y' q/ @/ o/ k7 I
* Server certificate:( P2 A2 F% G0 t- i6 U
* subject: CN=www.ygdy8.com
$ r( b. u! P: k/ g; |" _6 B- d* start date: Nov 3 00:00:00 2019 GMT
6 |% k; ~$ }/ c4 {9 G1 ?* expire date: Nov 2 12:00:00 2020 GMT
% C9 j( t8 X/ u) Z8 `* subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com"" B* ?8 Q3 P4 ^2 D
* issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA! R7 v4 _6 _" y# p# W+ S
* SSL certificate verify ok.% }, g0 {$ D1 l
> GET / HTTP/1.1) m X" v8 ~# s: d j
> Host: www.ygdy8.com( `2 k+ Y' c$ ~0 ?: J/ R
> User-Agent: curl/7.58.06 ~: n1 g' y, P+ m4 `
> Accept: */*, b0 H# H9 O; G
>! [8 U/ u% C* z+ e( M$ W
< HTTP/1.1 200 OK
* G0 `- i8 d1 x< Content-Type: text/html1 g8 e8 h6 N1 e# {
< Content-Location: https://www.ygdy8.com/index.htm h0 J' j; h. O" X% u" m
< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT
" p# d7 L$ f& W7 P' g q% v< Accept-Ranges: bytes
1 N" Q9 c. o% G0 Q9 l- V6 `< ETag: "806afc26ca0d51:802"/ P, F% {7 r2 d' J) X8 D5 D+ I
< Server: Microsoft-IIS/6.0
$ r3 J; `* R' `' e< Date: Wed, 04 Dec 2019 06:53:23 GMT: l& x9 g M- V$ f- v+ t, Q4 X
< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9)
" J6 Y# y, S0 w M< Content-Length: 560 j$ v! J% o" b6 U
< Connection: close
- V% p4 P: [( z<. B- A$ y2 O( @$ ^' f
<meta http-equiv="refresh" content="1;URL=index.html">6 S7 ~/ J: a; c& @( `. Z
* Closing connection 0: Y+ B% t: p' b3 k
* TLSv1.2 (OUT), TLS alert, Client hello (1):, X# v# |& X9 t$ d
root@qyi-58abe6739f7ae:~#6 ?/ U( k% {! D8 o7 A% b+ s; A( k4 g
# E4 L6 K$ n2 q! o 4 d [0 A0 A* e# g: I5 e
2 x/ A @8 [* T" K2 j4 v0 B
3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。 |
|
/1 
发表于 2021-9-2 09:46
收藏
淘帖
支持!
反对!