Linux 更改 ssl 证书的代理背后的 Docker
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20267339/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Docker behind proxy that changes ssl certificate
提问by reen
I am trying to run the following docker command:
我正在尝试运行以下 docker 命令:
docker run -i -t ubuntu /bin/bash
But I get the error:
但我收到错误:
Unable to find image 'ubuntu' (tag: latest) locally
Pulling repository ubuntu
2013/11/28 14:00:24 Get https://index.docker.io/v1/images/ubuntu/ancestry: x509: certificate signed by unknown authority
I know that our company replaces the SSL Certificate on the fly for https requests.
我知道我们公司会动态替换 https 请求的 SSL 证书。
I tried to trust our company's CA certificate by putting it in:
我试图通过将其放入以下内容来信任我们公司的 CA 证书:
/etc/pki/tls/certs/ca-bundle.crt
and
和
/etc/pki/tls/cert.pem
But it is still not working.
但它仍然无法正常工作。
Any ideas?
有任何想法吗?
采纳答案by Marcel Friedmann
To configure docker to work with a proxy system you first need to add the HTTPS_PROXY / HTTP_PROXY environment variable to the docker sysconfig file. However depending on if you use init.d or the services tool you need to add the "export" statement. As a workaround you can simply add both variants in the sysconfig file of docker:
要将 docker 配置为使用代理系统,您首先需要将 HTTPS_PROXY / HTTP_PROXY 环境变量添加到 docker sysconfig 文件中。但是,取决于您是使用 init.d 还是服务工具,您需要添加“export”语句。作为一种解决方法,您可以简单地在 docker 的 sysconfig 文件中添加这两个变体:
/etc/sysconfig/docker
HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
To get docker working with ssl intercepting proxies you have to add the proxy root certificate to the systems trust store.
要让 docker 使用 ssl 拦截代理,您必须将代理根证书添加到系统信任存储中。
For CentOS copy the file to /etc/pki/ca-trust/source/anchors/ and update the ca trust store. Restart the docker service afterwards. If your proxy uses NTLM authentication - it's necessary to use intermediate proxies like cntlm. This blog post explains it in detail
对于 CentOS,将文件复制到 /etc/pki/ca-trust/source/anchors/ 并更新 ca 信任存储。之后重启docker服务。如果您的代理使用 NTLM 身份验证 - 有必要使用像 cntlm 这样的中间代理。 这篇博文详细解释了
回答by jpetazzo
According to http://golang.org/src/pkg/crypto/x509/root_unix.go, you should append your certificate to one of the following:
根据http://golang.org/src/pkg/crypto/x509/root_unix.go,您应该将您的证书附加到以下之一:
- /etc/ssl/certs/ca-certificates.crt
- /etc/pki/tls/certs/ca-bundle.crt
- /etc/ssl/ca-bundle.pem
- /etc/ssl/cert.pem
- /usr/local/share/certs/ca-root-nss.crt
- /etc/ssl/certs/ca-certificates.crt
- /etc/pki/tls/certs/ca-bundle.crt
- /etc/ssl/ca-bundle.pem
- /etc/ssl/cert.pem
- /usr/local/share/certs/ca-root-nss.crt
Find the one that exists on your system, and append your certificate to it.
找到您系统上存在的那个,并将您的证书附加到它。
(And be ready to do it again when you upgrade the package containing that file...)
(并准备好在升级包含该文件的包时再次执行此操作...)
I hope there is a better method, but this is the only one I found so far :-)
我希望有更好的方法,但这是迄今为止我发现的唯一方法:-)
回答by Sergey Evstifeev
@jpetazzo's answer is overall correct, however there is a nicer way to do the same thing (without manually editing a ca-bundle file):
@jpetazzo 的回答总体上是正确的,但是有一种更好的方法来做同样的事情(无需手动编辑 ca-bundle 文件):
on CentOS:
sudo cp yourcert.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract sudo service docker restarton Debian:
sudo cp yourcert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates sudo service docker restart
在 CentOS 上:
sudo cp yourcert.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract sudo service docker restart在 Debian 上:
sudo cp yourcert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates sudo service docker restart
Note that restarting docker daemon is necessary!
请注意,必须重新启动 docker 守护进程!
