stackoom
  简体   繁体   中英

openssl Cannot Create or Write to p12 File on AWS ECS Container

 原文  2022-06-20 10:34:29       python/ linux/ docker/ openssl/ amazon-ecs

Question

I have two docker images, one is a base image and the other uses the base image to create a more specific image for a Java microservice.

The base image calls an entrypoint bash script, which in turn calls a Python script. I wasn't involved in the initial setup of this so can't comment on why it is done this way, but it spins up the microservice fine so there is no issue with it as it is.

However in the Python script I am now trying to add some extra Java SSL parameters to support HTTPS traffic. I'm quite new to this but others in my company have done a similar thing which has worked.

In my Python script I'm running openssl to create cert files, using AWS SSM parameters for the content. openssl should then output a "bundle.p12" file, collection of the certs.

What I'm finding is that the script cannot create this bundle.p12 file. I have since tried having a blank bundle.p12 file already on the container, but then it cannot write to it, ie it remains blank.

subprocess.run(['sudo', 'openssl', 'pkcs12', '-export', '-password', 'env:PASSWORD', '-in', './microservice/cloudwild.crt', '-certfile', './microservice/cloudchain.pem', '-inkey' ,'./microservice/cloudwild.key', '-name', 'bundle', '-out', './microservice/bundle.p12'])
subprocess.run(['ls','-la','./microservice'])
subprocess.run(['keytool', '-importkeystore', '-noprompt', '-deststorepass', '$PASSWORD', '-srcstorepass', '$KEYSTORE_PASSWORD', '-destkeystore', './microservice/keystore.p12', '-deststoretype', 'pkcs12', '-srckeystore', './microservice/bundle.p12', '-srcstoretype', 'PKCS12'])

The ls -la command after openssl shows that bundle.p12 is still 0 bytes. keytool then throws an error saying the p12 file exists, but is blank.

So the issue appears to be openssl and what looks like permissions. However in the base image dockerfile I am setting the whole folder the p12 file is in, and the p12 file itself, to a user "bob" and switching to that user prior to calling the entrypoint bash script (which calls the python script).

I'm not sure what the issue could be here, whether it's to do with having two images involved, it being on a container, or something around the p12 file permissions.

If I run the same openssl and keytool commands locally, it works fine and puts the bundle of certs in the keystore.

I appreciate I have left some other specifics of code out (dockerfile for example) so can share these if needed, but hoping someone has a broader opinion on what could be the problem with editing the p12 file.

1 answers

solution1
 0  2022-06-20 13:04:18

My issue here was the paths for the cert files and p12 file. I had to use os.path.join to pass the paths in that way.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot create an ECS Service using Terraform on AWS Export push notification certificate as P12 AWS websocket container cdk ecs Issue with running Node application in AWS ECS container AWS ECS restrict to only one container instance AWS ECS error "Container.name contains invalid characters" AWS ECS Fargate ALB cannot validate targetGroupArn Concatenate AWS Secrets in aws-cdk for ECS container How to create variables in AWS and use them in an .env file for ECS deploy task ECS - Container cannot pull public image from Docker Hub
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM