Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Connection #34

Open
alatdev opened this issue Apr 9, 2018 · 8 comments
Open

Secure Connection #34

alatdev opened this issue Apr 9, 2018 · 8 comments

Comments

@alatdev
Copy link

alatdev commented Apr 9, 2018

Hi,

I can't use check_docker with my secure docker daemon.
I need to use client certificates, but where do I have to store them?
Are there any command line arguments or environment variables?

./check_docker --secure-connection host:port --health
Traceback (most recent call last):
  File "/usr/lib64/python3.4/urllib/request.py", line 1183, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "/usr/lib64/python3.4/http/client.py", line 1137, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python3.4/http/client.py", line 1182, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python3.4/http/client.py", line 1133, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python3.4/http/client.py", line 963, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.4/http/client.py", line 898, in send
    self.connect()
  File "/usr/lib64/python3.4/http/client.py", line 1287, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python3.4/ssl.py", line 362, in wrap_socket
    _context=self)
  File "/usr/lib64/python3.4/ssl.py", line 580, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.4/ssl.py", line 807, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./check_docker", line 762, in perform_checks
    containers = get_containers(args.containers, args.present)
  File "./check_docker", line 256, in get_containers
    containers_list, _ = get_url(daemon + '/containers/json?all=1')
  File "/usr/lib64/python3.4/functools.py", line 472, in wrapper
    result = user_function(*args, **kwds)
  File "./check_docker", line 204, in get_url
    response = better_urllib_get.open(url, timeout=timeout)
  File "/usr/lib64/python3.4/urllib/request.py", line 464, in open
    response = self._open(req, data)
  File "/usr/lib64/python3.4/urllib/request.py", line 482, in _open
    '_open', req)
  File "/usr/lib64/python3.4/urllib/request.py", line 442, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.4/urllib/request.py", line 1226, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/usr/lib64/python3.4/urllib/request.py", line 1185, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:600)>
UNKNOWN: Exception raised during check': URLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:600)'),)
@timdaman
Copy link
Owner

timdaman commented Apr 9, 2018

I suspect the issue is with your system level certificate store. Python uses Openssl which is generally installed and configured by your OS vendor. Could you try installing the remote server's cert in your cert store? Googling 'commandline add certificate to " usually is helpful.

Sorry, my week is packed so it may be a few days before I can write anything more detailed.

@Codelica
Copy link

Adding the private CA cert to the system store could/should help resolve the Docker (server) cert, but I think he's running into what I was looking for also -- a way to supply a client cert/key pair for authentication. There is some info at the end of this page: https://docs.docker.com/engine/security/https/#other-modes

But basically supplying the equivalent of:

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=<some-host>:2376 <some-command>...

or the curl use of the api..

curl https://<some-host>:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem

Basically for Docker daemons that require server and client verification. Not sure if this command would use client certs from some keyring or something ?

I read you're busy.. no rush, just curious also :)

@timdaman
Copy link
Owner

Sorry, when I initially read I hadn't caught onto the client cert detail. I will see if there is a sensible way of doing that.

@osfrance
Copy link

osfrance commented Jul 4, 2018

Hi, I integrate TLS certificate files for secure Docker daemon socket in pull request #44

@osfrance
Copy link

osfrance commented Jul 4, 2018

If you are interested, I change the script check_swarm.py to integrate TLS certificate files, see pull request #44

@alatdev
Copy link
Author

alatdev commented Oct 22, 2018

@osfrance works in my environment.

@Docjones
Copy link

Docjones commented Feb 6, 2019

I ran into the same problem - anyone able to help?

@Nagaraj4775
Copy link

I was also facing the similar kind of issue, when used curl with certs it is working but through the script facing the same issue. I would suspect certs are not reading properly when making https request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Codelica @Docjones @timdaman @osfrance @Nagaraj4775 @alatdev