I am aware, self signed cert should be written in docker file etc:
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
WORKDIR /app
COPY <my path>/<cert name>.crt /usr/local/share/ca-certificates/<cert name>.crt
RUN update-ca-certificates
I decided to remove the above mentioned line of codes (line 2 and 3) and intend to install the crt as follows:
In the power shell
docker cp <location of the .crt> <image id>:/usr/local/share/ca-certificates/<filename>.crt
Go to the docker image's CLI and, in /app, run
update-ca-certificates
And then restart the affected container.
I tried to curl the link. I encounter this error:
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
What are steps I've missed? I also have install the .pfx in the trusted root and the container is running in Linux.
Also anyone mind sharing how one updates their crt in docker container when the crt is about to expiry?
Related
I'm new to Linux, just installed Lubuntu and faced the problem -
when i'm trying to clone my remote work repo from my company's git:
$ sudo git clone https://path/to/repo.git
I keep on receiving error:
Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none
I know it's mentioning certificates, but i do not have any. And before, i worked on windows and was able to simply git clone this repo without any certs.
This error means that the git client cannot verify the integrity of the certificate chain or root. The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.
Update list of public CA
The first thing I would recommend is to simply update the list of root CA known to the system as show below.
# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates
This may help if you are dealing with a system that has not been updated for a long time, but of course won’t resolve an issue with private certs.
Fetch certificates, direct connection
The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates. This can be done by using openssl to pull the certificates from the remote host:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.
Fetch certificates, web proxy
If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.
# install socat
sudo apt-get install socat -y
# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128
Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.
openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
Add certificate to local certificate list
Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”. This file will contain the certificate, its intermediate chain, and root CA certificate.
The next step is to have this considered by the git client when connecting to the git server. This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users’ git configuration.
** Adding globally **
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
** Adding for single user **
git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem
Which silently adds the following lines to ~/.gitconfig
[http "https://git.mycompany.com/"]
sslCAInfo = /home/user/git-mycompany-com.pem
Avoid workarounds
Avoid workarounds that skip SSL certification validation. Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.
git config --global http.sslverify false
export GIT_SSL_NO_VERIFY=true
I know there is an answer already. Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated. Here a solution on how this update can be achieve if using WSL on a Windows machine:
#!/usr/bin/bash
# I exported the Zscaler certifcate out of Microsoft Cert Manager. It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.
# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt
# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates
# Inform Ubuntu of new cert.
sudo update-ca-certificates
Given a simple Dockerfile that installs from something from the net, I'm trying to work out an elegant way to allow the build process to trust HTTPS endpoints when the build is both behind a corporate proxy and when it is not. Ideally without making changes to the Dockerfile.
Dockerfile:
FROM alpine
RUN apk update -v; apk add -v curl
Error:
$ docker build .
Sending build context to Docker daemon 83.97kB
Step 1/2 : FROM alpine
---> e50c909a8df2
Step 2/2 : RUN apk update -v; apk add -v curl
---> Running in 983ed3885376
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: 2 errors; 14 distinct packages available
https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
curl (no such package):
required by: world[curl]
The command '/bin/sh -c apk update -v; apk add -v curl' returned a non-zero code: 1
The issue here is that my developer machine is on the corporate network behind a traffic-intercepting proxy that man-in-the-middles the connection meaning from apk's point of view inside the Docker build, it is seeing a cert which has been signed by our proxy that it doesn't trust.
Trust from the host machine is not an issue - when I wget the file requested in the build it works:
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
--2021-02-15 12:41:59-- https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
Connecting to 10.0.2.2:9000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 631235 (616K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’
When I run it on the build server it passes fine cause no forward proxy.
Is there a way to pass in the Ubuntu trust bundle which has the proxy CA's (e.g. /etc/ssl/certs/ca-certificates) to the build process without modifying the Dockerfile?
Thanks!
Create a file named repositories in your local docker build context directory with the following content:
http://dl-cdn.alpinelinux.org/alpine/v3.13/main
http://dl-cdn.alpinelinux.org/alpine/v3.13/community
In your docker build file, before RUN apk update, add the following line:
COPY repositories /etc/apk/repositories
FROM abdennour/alpine:3.14-ssl
RUN openssl x509 -inform der -in COMPANY.der -out /usr/local/share/ca-certificates/company-cert.crt && \
cat /usr/local/share/ca-certificates/company-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
update-ca-certificates
EXPLAINED!
Request the CA certificate from the team who purchased the SSL Certificates.
Tell them provide me the certificate file "*.der"
Got it ? convert it to .cert file
RUN openssl x509 -inform der -in COMPANY.der -out /usr/local/share/ca-certificates/company-cert.crt && \
cat /usr/local/share/ca-certificates/company-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
update-ca-certificates
But this requires to have openssl ca-certificates packages in the image.
And because you can't install anything, then you can rely on alpine image which includes at least these two packages, like my base image:
FROM abdennour/alpine:3.14-ssl
Background
We have a production fabric cluster setup and has been been running for a year. Now most of the certs expire and the cluster crash, including both tls and identity certs.
I tried to fix by completely removing old certs and private keys, generate and enroll new identities for peer, peer admin, orderer, orderer admin.
Everything works again, but I cannot instantiate/upgrade chaincode in existing channel because the channel was configured with old admin certs.
Problem
So now look like I'm stuck in a deadlock. In order to update channel config with new cert, I need to sign the update with matching old cert, which is already expired and blocked by orderer.
I find out that we can disable expired cert check in orderer using ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true. But now I don't have the old admin private key so I still cannot update the channel config.
Questions
I already replaced old private keys with new one so there is no way to use the old cert again.
Can I do something to resolve this channel issue?
Suggestions are greatly appreciated.
[!] What I'm suggesting is an idea. I haven't tested it.
[!] It seems to be feasible enough, but side-effect is not considered.
[!] It's just a trick, it's correct that it should never be done.
The conclusion is that the orderer and peer's binary can be artificially manipulated and updated.
For fabric, refer to $GOROOT/src/crypto when building binary.
Build in the fabric repository after artificially modifying all ecdsa verify functions in crypto to return true immediately.
cd $GOROOT/src/crypto
vi ecdsa/ecdsa.go # modify `Verify` function
cd $GOPATH/src/github.com/hyperledger/fabric
make peer
make orderer
Back up the binaries of the currently running docker container, and rerun after planting the newly built binaries in the container.
docker cp <peer_container_name>:/usr/local/bin/peer ./
docker cp $GOPATH/src/github.com/hyperledger/fabric/build/bin/peer <peer_container_name>:/usr/local/bin/peer
docker cp <orderer_container_name>:/usr/local/bin/orderer ./
docker cp $GOPATH/src/github.com/hyperledger/fabric/build/bin/orderer <orderer_container_name>:/usr/local/bin/orderer
docker-compose -f <your_docker_compose_file_path> restart
Now all verify is valid unconditionally. so, update all recent status.
Afterwards, the backed up binary is replanted into the container to solve this problem.
docker cp ./peer <peer_container_name>:/usr/local/bin/peer
docker cp ./orderer <orderer_container_name>:/usr/local/bin/orderer
docker-compose -f <your_docker_compose_file_path> restart
I am running docker registry as container in Redhat Linux 7.5 with Docker 18.09.3-3 version. if configured with self-sign certificate.
container started successfully. it works with curl with-out any error. but giving error for docker login command.
curl command works
curl --cacert /etc/docker/certs.d/dockerhost\:5000/ca.crt https://dockerhost:5000 -v
login command
docker login dockerhost:5000
Error response from daemon: Get https://dockerhost:5000/v2/: x509: certificate signed by unknown authority
how to resolve this error message?
Thanks
My hostname set with upper case letter. Certificate was generated with lower case name. I changed hostname to lowercase, it started working.
I want to update my docker stack automatically from my CI server but I don't figure out how to configure credentials to be able to drive docker from an external host.
I have enabled experimental mode on my server and it works fine in local with docker-machine.
My deploy script look like this:
echo $DOCKER_CERT > cert.pem # which other file ?
OPTS=" --tlsverify --host $DOCKER_DEPLOY_HOST --tlscert cert.pem" # which other args ???
docker $OPTS pull $REPO_IMAGE
docker $OPTS service update multiverse-prod_api
Is there a way (or planned in future version) to achieve this with just an ssh key ?
Thanks !!
You need to configure the docker server with a self signed cert, and then configure the client with a client cert signed from the same ca. The steps to create the certificates and configure the server and client are described by docker in their documentation.