Docker容器始终显示ssl连接错误

Posted 2023-02-27

我开始使用docker compose并且已经完成了简单的演示烧瓶应用程序。问题是，我是从一个组织内部运行它的，它以一种左右抛出SSL错误的方式拦截所有通信。它们为我们提供了我们需要安装的三个根证书，而且我通常在自己的机器上运行这些证书，但是当我们在docker-compose部署中使用它们时，我迷失了方向。

当我运行docker-compose时，我得到以下内容：

$ sudo docker-compose up 
Creating network "project_default" with the default driver
Building web
Step 1/5 : FROM python:3.4-alpine
3.4-alpine: Pulling from library/python
81033e7c1d6a: Pull complete
9b61101706a6: Pull complete
415e2a07c89b: Pull complete
f22df7a3f000: Pull complete
8c16bf19c1f9: Pull complete
Digest: sha256:fe436cb066394d81cf49448a04dec7c765082445a500bc44f1ae5e8a455793bd
Status: Downloaded newer image for python:3.4-alpine
 ---> 5c72717ec319
Step 2/5 : ADD . /code
 ---> a5790c0e3e94
Removing intermediate container 052c614e41d0
Step 3/5 : WORKDIR /code
 ---> a2ea9acb3005
Removing intermediate container 77f2375ca0a6
Step 4/5 : RUN pip install -r requirements.txt
 ---> Running in 5f4fe856776d
Collecting flask (from -r requirements.txt (line 1))
  Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1d30>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=3, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f19b0>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=2, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1828>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=1, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1588>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Retrying (Retry(total=0, connect=None, read=None, redirect=None)) after connection broken by 'NewConnectionError('<pip._vendor.requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fb0061f1390>: Failed to establish a new connection: [Errno -3] Try again',)': /simple/flask/
  Could not find a version that satisfies the requirement flask (from -r requirements.txt (line 1)) (from versions: )
No matching distribution found for flask (from -r requirements.txt (line 1))

Pip无法安装任何东西。

docker-compose.yml文件如下所示：

version: '3'
services:
  web:
    build: .
    ports:
     - "5000:5000"
  redis:
    image: "redis:alpine"

主Dockerfile看起来像这样：

FROM python:3.4-alpine
ADD . /code
WORKDIR /code
RUN pip install -r requirements.txt
CMD ["python", "app.py"]

有没有办法在这种特殊情况下完成这项工作？是否有这种问题的一般解决方案，允许我传递给部署SSL证书的任何容器并让它们被使用？

答案

这实际上并不是特定于Docker的问题：您实际上是在问“如何在Linux下安装证书颁发机构”？无论您是在容器内部还是外部运行ssl客户端，答案都是相同的。

您的Python图像基于alpine，而alpine使用“ca-certificates”包来管理CA证书。要安装本地CA证书，您需要（a）将它们复制到/usr/share/ca-certificates目录中，并（b）运行update-ca-certificates。

例如，将这样的内容添加到Dockerfile（在pip install之前）：

COPY company-ca.crt /usr/share/ca-certificates
RUN update-ca-certificates

另一答案

在我的情况下，我必须在我的Dockerfile中添加这些句子：

COPY company.crt /usr/local/share/ca-certificates/company.crt
RUN update-ca-certificates
...
RUN pip install --cert /etc/ssl/certs/company.pem -r requirements.txt

您需要.crt格式的公司证书。当docker执行update-ca-certificates时，linux将在路径中创建一个名称相同的.pem文件：/ etc / ssl / certs /。它将在SSL中的pip之间转换网络。

另一答案

就我而言，主机的MTU是1450，而Docker的MTU是1500。

这导致docker将MSS设置为1460，然后TLS“server hello”包大于1450字节，因此主机丢弃它。

要查看它是否也是您的情况，请在Docker容器和主机上运行ifconfig。如果主机的MTU小于1500，则很容易遇到此丢弃数据包的情况。特别是在HTTPS中，因为“服务器问候”需要发送证书，这是一个很大的数据包