|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
本帖最后由 yizhihenanjing 于 2021-9-2 09:47 编辑 5 @, ?2 X( A" ^! F
* p. e5 c; o) D/ E8 e1 \: R( l vubuntu服务器A上,docker容器内 curl https://www.ygdy8.com问题
! z* a7 H5 y; z: {
# P& }+ N- |1 C: m问题:+ g% P5 }4 X( P1 y; _# f% ?& i
! O! r1 p7 _5 p3 [6 h5 ^; {& [. w+ _
root@qyi-58abe6739f7ae:~# curl https://www.ygdy8.com //1.宿主机下正常访问, _! T. @( ?; F
<meta http-equiv="refresh" content="1;URL=index.html">
( B% r" D6 y: S( H8 vroot@qyi-58abe6739f7ae:~# docker exec -it 1e398e2637b5 bash2 q# _3 P9 A) j+ ?+ ?% C
root@1e398e2637b5:/app# curl https://www.ygdy8.com //2.容器内报证书签名问题
1 Y0 s, v& j7 B% n0 i, qcurl: (60) SSL certificate problem: self signed certificate
* I, i* D, m' D# y+ p( J6 [More details here: https://curl.haxx.se/docs/sslcerts.html8 u; n: i! v. K7 G6 ?
...
# p9 L6 ~+ x0 Q: ?, groot@1e398e2637b5:/app# curl https://www.baidu.com //3.容器内访问其它https站点正常7 p% L! ^0 p9 r0 F" l# I# p
<!DOCTYPE html><!--STATUS OK--><html>...</html>
2 t8 c/ \ i+ Y5 Z0 n- U! yroot@1e398e2637b5:/app#7 r2 k/ q* `: D( Z
. q' k$ x8 v6 J
期望:$ |/ W8 z0 N9 B3 j' Z! ]& k1 @
6 \/ W/ l+ z: v+ A% t+ Q( t
期望容器内 curl https://www.ygdy8.com得到跟宿主机相同的结果. Q4 N; ^3 S8 E$ L, k. x" C! O
* x/ h Y; N" @% C" I
! N* W) S) c& H' X3 t
% O8 u% Q8 |0 K/ S# \8 M6 Y6 q. Y自己尝试过的问题排查:' P( d6 o( i# {% J, y/ {
' A" Y2 b7 k8 a4 i- p( ~( A0 m
1,下载证书并指定证书访问,结果提示证书过期。
$ I; n q: M7 R6 w( M7 ?: w+ s9 `& n4 c) ], p% G
root@1e398e2637b5:/etc/ssl/certs# openssl s_client -showcerts -servername server -connect www.ygdy8.com:443 > ygdy8.pem- k. }: N0 Z, _& K. n! G
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
! A9 E, ]7 Q0 `% d# everify error:num=18:self signed certificate0 v( W9 g9 h) T: Y# a/ _
verify return:17 e2 f* t5 R \' k6 L/ A* }
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI
; x6 I; W- J' _- K! q" jverify error:num=10:certificate has expired a7 A- f8 s( T5 W$ U
notAfter=Dec 19 00:00:00 2016 GMT
3 o; f; n! T wverify return:1: i2 E. _# A) F" |5 a
depth=0 C = US, ST = California, O = Super Micro Computer, OU = Software, CN = IPMI8 ?) t+ P0 L9 b4 h+ }
notAfter=Dec 19 00:00:00 2016 GMT) l1 o0 p. C/ _0 o! X) @! D. i
verify return:18 F. O! E% `) u6 U5 Q7 V
quit ? X' Q& S, C5 n
1 w/ p4 U/ F! O3 z8 {$ i
root@1e398e2637b5:/etc/ssl/certs# curl --cacert ygdy8.pem https://www.ygdy8.com
7 m0 V- {+ j& Y) F/ K1 |curl: (60) SSL certificate problem: certificate has expired5 Y/ v- D2 C4 `
More details here: https://curl.haxx.se/docs/sslcerts.html/ M$ H4 M& v4 F, e
3 @9 _; o$ I7 A% h+ a) ~
c1 Q. E' _& y0 U7 y g0 o7 t9 I
2,通信过程,发现宿主机和容器内解析的IP不一致,然后我修改了容器内host,把该域名解析IP指定成了宿主机解析的IP,得到的结果跟上面一样certificate has expired
! G# e F5 [6 c. k. G5 F6 h* z2 x ?1 V+ C9 N
- O' |$ q+ [4 d( u W
8 D/ C% ^4 J( sroot@1e398e2637b5:/app# curl -v https://www.ygdy8.com/ //容器内
6 a* ]9 K0 y3 K6 v m* Trying 104.233.229.10...8 r: B2 ^- T# r
* TCP_NODELAY set
0 q& t9 @: _$ ?* Connected to www.ygdy8.com (104.233.229.10) port 443 (#0)
- V. Q) x! X, b* ALPN, offering h2
' O. v$ ?5 O+ B ?* ALPN, offering http/1.1
5 T' X! S; a/ Q& l5 L6 P6 _* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4: @STRENGTH; [. d# Y6 X( Y* Q4 h- s6 @
* successfully set certificate verify locations:
: w+ h4 v# h* u0 K5 [2 }* K6 p* CAfile: /etc/ssl/certs/ca-certificates.crt# J/ g# E" I2 ~2 E4 Q7 T, `( J
CApath: /etc/ssl/certs/ `& c7 R2 d( x# D' W3 i; \6 {
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
& `( C! z$ U/ P0 P% F3 @* TLSv1.2 (OUT), TLS handshake, Client hello (1):# {% h* i2 t) O7 B, N% ^# S
* TLSv1.0 (IN), TLS handshake, Server hello (2): ]/ m7 Z/ j- ?
* TLSv1.0 (IN), TLS handshake, Certificate (11):9 |6 N( `/ a$ {( h
* TLSv1.0 (OUT), TLS alert, Server hello (2):) |; H2 W+ T$ {5 j
* SSL certificate problem: self signed certificate
' l0 q( p- w) W! ^; w& i" u* Curl_http_done: called premature == 1
& Z0 }5 n) M# ^* stopped the pause stream!9 ~2 x6 r: I" W2 c9 S( V; w
* Closing connection 0
+ l5 {- _( u0 r1 t0 x H) M, Zcurl: (60) SSL certificate problem: self signed certificate
" J( B% e) B5 q [3 L" U! ZMore details here: https://curl.haxx.se/docs/sslcerts.html- b; H, B- S3 s7 \) S+ i
/ |4 J0 k8 j6 {' t0 W7 n( Z
root@1e398e2637b5:/app# exit //退出容器
' Y; i5 n5 |7 A5 S6 m4 i( y
5 F. Y5 F: s( X- O, Q+ P: froot@qyi-58abe6739f7ae:~# curl -v https://www.ygdy8.com/ //宿主机内
! h: ~ ?4 l1 h" k* Trying 156.238.183.80...
2 o5 `7 V, m9 |. } w# A* TCP_NODELAY set
( V! r) T7 U4 {: Y* A7 l* Connected to www.ygdy8.com (156.238.183.80) port 443 (#0)$ p. I1 C& V/ B' f4 z% `- }3 X( l
* ALPN, offering h2" m+ | {6 h2 z* X. q
* ALPN, offering http/1.17 Q: j( q% v, @+ E6 }8 J" J
* successfully set certificate verify locations:
7 w' T- m5 V# x% c+ X* CAfile: /etc/ssl/certs/ca-certificates.crt# o! O$ _6 _0 P
CApath: /etc/ssl/certs1 o+ O1 v9 `3 I5 j9 V
* TLSv1.3 (OUT), TLS handshake, Client hello (1):2 @3 Q* x' E3 O3 M% l; x& x
* TLSv1.3 (IN), TLS handshake, Server hello (2):: d8 J; |4 R6 ]* R
* TLSv1.2 (IN), TLS handshake, Certificate (11):
. u+ @% \+ b, w, F; N* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
$ _: G4 u8 m( b/ d; |* TLSv1.2 (IN), TLS handshake, Server finished (14):- i9 T# |% d+ W$ e$ }
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):5 a" U: ]# u* o$ K' e `
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
9 Q6 c, u5 M6 I1 f* TLSv1.2 (OUT), TLS handshake, Finished (20):7 }7 s' s3 x y) P0 h: c
* TLSv1.2 (IN), TLS handshake, Finished (20):" @/ j( J# ?8 G% I0 g
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256& G* S: K! `& n* t
* ALPN, server accepted to use http/1.13 H9 e$ y% h8 m# v
* Server certificate:* ~$ }# P8 ^- G9 h- W
* subject: CN=www.ygdy8.com2 Z5 w, d; a9 }% H; A
* start date: Nov 3 00:00:00 2019 GMT
$ J; b$ ?8 o! L$ X' G9 S/ C; p2 X* expire date: Nov 2 12:00:00 2020 GMT @( b8 v) {0 x/ C* d. P
* subjectAltName: host "www.ygdy8.com" matched cert's "www.ygdy8.com"
, D- ?0 ]8 O% @* m+ W' J3 L2 K* issuer: C=CN; O=TrustAsia Technologies, Inc.; OU=Domain Validated SSL; CN=TrustAsia TLS RSA CA$ k# m6 u! i8 S4 f r1 I1 a3 Z
* SSL certificate verify ok.
: T) \9 ^7 q% Z/ D) N% { e6 O> GET / HTTP/1.11 s( U3 L9 w) f J$ f
> Host: www.ygdy8.com/ [/ Q6 L' R9 ], B. k- j. D2 G2 ?
> User-Agent: curl/7.58.0
/ G7 u, [0 M X& m# X5 J3 g3 K9 B> Accept: */*
. p, X. F3 q5 I) b1 W4 x>* B8 F) `; c K3 ]* ~
< HTTP/1.1 200 OK% }1 S4 F8 t0 b+ B9 L; C) U
< Content-Type: text/html" ?8 k+ K+ l" s( x, U9 E+ n
< Content-Location: https://www.ygdy8.com/index.htm
8 T+ W$ M/ W8 z< Last-Modified: Thu, 21 Nov 2019 13:08:25 GMT; c4 p/ F2 L& k: W( _) C: K
< Accept-Ranges: bytes
' D1 t" ?0 C' c< ETag: "806afc26ca0d51:802"
: X) T* U5 d5 L5 x% v( J" |8 U< Server: Microsoft-IIS/6.0# C6 X& [. |$ c# i3 M
< Date: Wed, 04 Dec 2019 06:53:23 GMT
( N7 Q0 Z. e' Y$ R+ L< X-Via: 1.1 localhost.localdomain (random:402452 Fikker/Webcache/3.7.9)
2 }( B$ @8 Q( V$ v< Content-Length: 56" a! I2 b1 a$ ?* o# {5 n
< Connection: close) E5 j) n# ^, {+ f
<
# T' P) ]% U0 R" d. Z3 S<meta http-equiv="refresh" content="1;URL=index.html">
% d6 |+ g5 o" u' l$ T# W+ M2 P* Closing connection 0
; \7 N0 u3 B% W3 p* TLSv1.2 (OUT), TLS alert, Client hello (1):
; D: ]- Z t. L& [# ~/ a4 O- yroot@qyi-58abe6739f7ae:~#
/ c' \4 t" b- P8 p
& g/ `7 p( I7 j5 t! r 0 l3 `( I& Z2 f( @) L# M' S
8 \+ V! x4 s/ Q& U+ r3 n
3,我在另一台ubuntu服务器B下,pull了同样的镜像,然后启动容器,进入容器内curl却没有任何问题,我怀疑是服务器A的问题,或者说是服务器A的docker网络配置问题。两台机器docker是同样的安装方式,并没有设置过网络相关配置。 |
|
/1 
发表于 2021-9-2 09:46
收藏
淘帖
支持!
反对!