堆栈内存溢出
  简体   繁体   English

Jenkins:即将进行的SSL通信Docker容器

[英]Jenkins: Outgoing SSL communication Docker Container

 原文  2017-12-01 23:33:05       ssl/ docker/ jenkins/ containers

问题描述

I've been trying to use the Jenkins docker container. 我一直在尝试使用Jenkins docker容器。

I'm building the container using the docker_container module in Ansible. 我正在使用Ansible中的docker_container模块构建容器。 I'm providing the additional config options for the container in the "command" option like so: 我在“命令”选项中为容器提供其他配置选项,如下所示: 

--httpPort=-1 --httpsPort=8443 --httpsKeyStore={{ keystore_path }} --httpsKeyStorePassword={{ keystore_password }}

The keystore is a properly configured entrust-signed javakeystore with my entire root chain intact in the file (I've verified through keytool) 密钥库是一个配置正确的受委托签名的javakeystore,文件中我的整个根链都完整无缺(我已经通过keytool进行了验证)

I get the app to spin up and show as properly configured (TLS and properly signed) and connecting out to the plugin community works fine (I can download and configure plugins and their dependencies.) 我使该应用程序启动并显示为正确配置(TLS和正确签名),并连接到插件社区工作正常(我可以下载和配置插件及其依赖项。)

But when I try to communicate with other resources over SSL which are signed by the same root authority, I'm getting a big ol' error. 但是,当我尝试通过SSL(由同一个根权限签名)与其他资源进行通信时,出现一个很大的错误。 Doesn't matter if I use a plugin configured with an https address, or if I set up a build with a curl... both fail. 不管我使用的是配置有https地址的插件,还是设置了curl的版本都无济于事。 For info, curl -k works fine (as expected) 有关信息,curl -k可以正常工作(按预期)

Am I missing some configuration with the keystore? 我是否缺少密钥库的某些配置? Should I be adding a ref to the keystore somewhere other than during the container deployment? 我是否应该在容器部署期间以外的其他地方向密钥库添加引用? I've searched high and low and am pretty stumped... 我搜寻了高低,很困惑...

If I do it through Curl, here's what shows up in the console output: 如果我通过Curl进行操作,则控制台输出中将显示以下内容: 

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

If I do it through the plugin, heres the stacktrace: 如果我通过插件执行此操作,则为以下堆栈跟踪: 

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
    at jenkins.plugins.mattermost.StandardMattermostService.publish(StandardMattermostService.java:99)
    at jenkins.plugins.mattermost.StandardMattermostService.publish(StandardMattermostService.java:41)
    at jenkins.plugins.mattermost.MattermostNotifier$DescriptorImpl.doTestConnection(MattermostNotifier.java:413)
    at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
    at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
    at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:80)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
        at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:499)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
    at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

1 个解决方案

解决方案1
 1  2017-12-02 06:02:11

Just in case, do add your certificate to the OS itself. 为了以防万一,请务必将证书添加到操作系统本身。
What I usually do with my image is: 我通常对图像进行处理:

  • either create a new image, where I COPY mycert /usr/local/share/ca-certificates and RUN update-ca-certificates 要么创建一个新映像,我在其中COPY mycert /usr/local/share/ca-certificatesRUN update-ca-certificates

  • or, for existing containers: 或者,对于现有容器: 

     docker cp mycert my-container:/usr/local/share/ca-certificates docker exec -u root -t my-container update-ca-certificates

And double-check which jdk is actually used, in order to make sure you patched the right <jdk>/jre/lib/security/cacerts keystore. 并仔细检查实际使用的是哪个jdk,以确保您修补了正确的<jdk>/jre/lib/security/cacerts密钥库。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Jenkins在Docker上使用SSL - Jenkins with SSL over Docker Docker 集装箱 SSL 证书 - Docker container SSL certificates SSL 在 Nginx docker 容器中不工作 - SSL not working in Nginx docker container 尝试 ssl 到 docker nginx 容器 - trying ssl to docker nginx container docker nginx ssl proxy传递给另一个容器 - docker nginx ssl proxy pass to another container Docker 容器总是显示 ssl 连接错误 - Docker container always shows ssl connection error 无法让 SSL 在 Docker 容器中工作 - Cannot get SSL to work in Docker container 添加 SSL 证书到 Docker linux 容器 - Adding SSL certificates to Docker linux container 将 SSL 证书添加到 NGINX docker 容器 - Adding SSL certs to NGINX docker container 在Jelastic上托管的Docker容器中的nginx上使用SSL - Using SSL on nginx in a Docker container hosted on Jelastic
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM