anchore-engine
anchore-engine copied to clipboard
anchore
Unabel to get feeds to work with proxy root CA
Is this a request for help?: Yes
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): Bug Report
Version of Anchore Engine and Anchore CLI if applicable:
Version: 0.10.0
What happened:
I am trying to get the service to run behind a private ssl proxy
I have tried ANCHORE_INTERNAL_SSL_VERIFY=false
I have my certs installed via /etc/pki/ca-trust/source/anchors
I installed certs in /usr/local/lib/python3.8/site-packages/certifi/cacert.pem
This is the detailed message:
details: cause: 'Feed list operation failed. Msg: b''server error: Could not find a suitable TLS CA certificate bundle, invalid path: etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt''.' sync_feed_types:
- vulnerabilities
- nvdv2
- github level: error message: Feeds sync task failed resource: id: null type: feeds user_id: admin source:
What did you expect to happen:
Any relevant log output from /var/log/anchore:
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] [Thread-43] [anchore_engine.services.policy_engine.engine.vulns.providers/rescan_images_loaded_during_feed_sync()] [INFO] Detected images: [] for rescan (operation_id=c4161a55ca29478aa00ff3e01840e0ce)
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] Exception in thread Thread-43:
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] Traceback (most recent call last):
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/lib64/python3.8/threading.py", line 932, in _bootstrap_inner
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] self.run()
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/lib64/python3.8/threading.py", line 870, in run
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] self._target(*self._args, **self._kwargs)
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/tasks.py", line 186, in
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] target=lambda: result.append(task.execute()),
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/tasks.py", line 253, in execute
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] DataFeeds.sync(
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/sync.py", line 284, in sync
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] source_feeds = DataFeeds.get_feed_group_information(feed_client, to_sync)
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/sync.py", line 136, in get_feed_group_information
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] source_resp = feed_client.list_feeds()
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 305, in list_feeds
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] raise e
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] File "/usr/local/lib/python3.8/site-packages/anchore_engine/services/policy_engine/engine/feeds/client.py", line 300, in list_feeds
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] raise Exception(
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] Exception: Feed list operation failed. Msg: b'server error: Could not find a suitable TLS CA certificate bundle, invalid path: etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'.
[service:policy-engine] 2021-06-14 18:21:51+0000 [-] [Thread-9] [anchore_engine.services.policy_engine/handle_feed_sync()] [INFO] Feed sync task executor complete
What docker images are you using:
FROM anchore/anchore-engine-dev:latest
How to reproduce the issue:
Anything else we need to know:
@chevy67327 looks like the system is trying to find certs in etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt That does not seem like a valid path (missing / at the beginning). Can you check whether its valid and contains the certs
