kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

v1.9.2 new TLS error for insecure (alert code 80)

Open Fen0l opened this issue 1 year ago • 9 comments

Actual behavior Kaniko v1.9.2 raise TLS error using wget for unsecure self-signed certificates. This was working fine for v1.9.1 and below.

➜  ~ docker run -it --entrypoint /busybox/wget gcr.io/kaniko-project/executor:v1.9.2-debug --no-check-certificates https://git.local
Connecting to git.local (10.10.0.1:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 80): internal error
wget: error getting response: Connection reset by peer

➜  ~ docker run -it --entrypoint /busybox/wget gcr.io/kaniko-project/executor:v1.9.1-debug --no-check-certificates https://git.local
Connecting to git.local (10.10.0.1:443)
wget: note: TLS certificate validation not implemented
saving to 'FILE.crt'
FILE.crt   100% |**********************************************************************************************|  7107  0:00:00 ETA
'FILE.crt' saved

Expected behavior wget should ignore TLS verification when --no-check-certificates is given.

To Reproduce Steps to reproduce the behavior:

  1. docker run -it --entrypoint /busybox/wget gcr.io/kaniko-project/executor:v1.9.2-debug --no-check-certificates https://git.local
  2. when git.local is using self-signed certificates

KR

Fen0l avatar Mar 28 '23 06:03 Fen0l

Hitting the same here

irizzant avatar Mar 28 '23 09:03 irizzant

I'm hitting a similar error without --no-check-certificates in 1.9.2, it was working fine in 1.9.1.

wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

fengkaijia avatar Mar 29 '23 05:03 fengkaijia

This is caused by an issue in busybox:musl https://github.com/docker-library/busybox/issues/162 The debug image is based on busybox:musl, changing it to busybox:1.35.0-musl should fix the problem.

Also of note, this only happens on certain URLs -- https://github.com works, but https://amazon.com does not.

modelbitjason avatar Mar 31 '23 14:03 modelbitjason

Are folks in the thread here still having this issue using the latest v1.11.0 release of kaniko (seems likely as the busybox issue is still open)? Is there any opinion here on the preferred fix to be made in kaniko to resolve this issue for users? Pinning busybox:1.35.0-musl seems like an acceptable fix in the short term - want to weight that vs. any other suggested fixes as pinning is not ideal

aaron-prindle avatar Jun 13 '23 23:06 aaron-prindle

Still running into this exact issue, tested just now with v1.12.0. We're currently pinned on v1.9.1 as the last known working version.

In our case: during the Docker build we need to download some files from a server with a very old openssl version:

Connecting to xxx (xxx)
wget: note: TLS certificate validation not implemented
wget: short read, have only 0: Connection reset by peer
wget: error getting response: Connection reset by peer

LordGaav avatar Jun 29 '23 13:06 LordGaav

Update about this problem.

I've tested several versions of busybox, and version 1.35 seems to work fine, as @aaron-prindle said.

Latest(1.36.1) busybox:musl - As in Kaniko's Dockerfile:

@zhekazuev ➜ /workspaces/kaniko/deploy (main) $ docker run -it --rm busybox:musl
/ # busybox | head -1
BusyBox v1.36.1 (2023-07-17 19:24:58 UTC) multi-call binary.
/ # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer

Latest version (v1.36.1) of busybox:glibc - I thought the problem was only with musl and decided to check:

@zhekazuev ➜ /workspaces/kaniko/deploy (main) $ docker run -it --rm busybox:glibc
/ # busybox | head -1
BusyBox v1.36.1 (2023-07-17 18:29:09 UTC) multi-call binary.
/ # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer

Specific version - busybox:1.35.0-musl

@zhekazuev ➜ /workspaces/kaniko/deploy (main) $ docker run -it --rm busybox:1.35.0-musl
Unable to find image 'busybox:1.35.0-musl' locally
1.35.0-musl: Pulling from library/busybox
Digest: sha256:4173c82ba78b6b64776907f6dd6af48eee80697e0d4852086e8f8f2bc8c93384
Status: Downloaded newer image for busybox:1.35.0-musl
/ # busybox | head -1
BusyBox v1.35.0 (2023-07-17 19:33:24 UTC) multi-call binary.
/ # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
saving to 'index.html'
index.html           100% |***************************************************************************|   502  0:00:00 ETA
'index.html' saved

And one last test. Updated dockerfile to specify busybox:1.35.0-musl@sha256:b083c85bd4aff5d4936fa263572c8c7369b02145856a3edd4fff19d97a8e78d5 instead of busybox:musl:

cat deploy/Dockerfile

...
# use musl busybox since it's staticly compiled on all platforms
FROM busybox:1.35.0-musl@sha256:b083c85bd4aff5d4936fa263572c8c7369b02145856a3edd4fff19d97a8e78d5 AS busybox
...

@zhekazuev ➜ /workspaces/kaniko (main) $ docker build -t gcr.io/kaniko-project/executor:debug-1.35.0-musl --target kaniko-debug -f deploy/Dockerfile .
...

And run built kaniko image:

@zhekazuev ➜ /workspaces/kaniko (main) $ docker run -it --rm --entrypoint="" gcr.io/kaniko-project/executor:debug-1.35.0-musl /bin/sh
/workspace # wget https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html           100% |*******************************************************************************|   502  0:00:00 ETA
'index.html' saved

/workspace # rm index.html 

/workspace # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
saving to 'index.html'
index.html           100% |*******************************************************************************|   502  0:00:00 ETA
'index.html' saved

This requires using a specific version of busybox:musl. I think busybox:1.35.0-musl@sha256:b083c85bd4aff5d4936fa263572c8c7369b0214585856a3edd4fff19d97a8e78d5 would be the best solution.

And I don't see why we can't use distroless and distroless-debug by Google as a base instead of busybox. And use /etc/ssl/certs path instead of /kaniko/ssl/certs - most docker linuxes use that path for ca certs, and /kaniko/ssl/certs is a bit confusing.

zhekazuev avatar Sep 28 '23 20:09 zhekazuev

For the record, the error still exists in gcr.io/kaniko-project/executor:v1.20.0-debug.

This is most likely since the aforementioned PR updating/pinning busybox got rejected: https://github.com/GoogleContainerTools/kaniko/pull/2765#issuecomment-1831150620

stefan2904 avatar Feb 09 '24 17:02 stefan2904

had the same problem with v1.21.1-debug.

--no-check-certificates had no effect

downgrading to v1.9.1-debug worked, as mentioned by @Fen0l

sazary avatar Mar 25 '24 19:03 sazary