scan-cli-plugin icon indicating copy to clipboard operation
scan-cli-plugin copied to clipboard

Published 20 hours ago verified publisher icon docker

Docker Scan unable to verify the first certificate (self-signed)

Open cawoodm opened this issue 2 years ago • 2 comments

Description

Similarly to #168 docker scan does not work behind a corporate proxy with self-signed certificates. How can we tell docker scan which CA Roots to trust?

Steps to reproduce the issue:

$ docker scan myimage

Describe the results you received:

unable to verify the first certificate

Describe the results you expected: Since curl https:// works, I know my linux system trusts my proxy's CA.

Additional information you deem important (e.g. issue happens only occasionally):

cp myca.pem ~/.docker/ca.pem
DOCKER_TLS_VERIFY=0 docker scan myimage
Cannot connect to the Docker daemon at tcp://localhost:2376. Is the docker daemon running?

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.13
 API version:       1.41
 Go version:        go1.16.15
 Git commit:        a224086
 Built:             Thu Mar 10 14:07:51 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.13
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.15
  Git commit:       906f57f
  Built:            Thu Mar 10 14:05:44 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.10
  GitCommit:        2a1d4dbdb2a1030dc5b01e96fb110a9d9f150ecc
 runc:
  Version:          1.0.3
  GitCommit:        v1.0.3-0-gf46b6ba
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker scan --version:

Version:    v0.17.0
Git commit: 061fe0a
Provider:   Snyk (1.827.0 (standalone))

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.0-docker)
  scan: Docker Scan (Docker Inc., v0.17.0)

Server:
 Containers: 6
  Running: 0
  Paused: 0
  Stopped: 6
 Images: 337
 Server Version: 20.10.13
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2a1d4dbdb2a1030dc5b01e96fb110a9d9f150ecc
 runc version: v1.0.3-0-gf46b6ba
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-96-generic
 Operating System: Ubuntu 20.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.33GiB
 Name: uzuf52
 ID: NYO7:4GGD:BBLX:VFCD:GRWH:YK6K:JI4Y:TOZ3:QWWB:FVSO:ZLXC:U54A
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: ***
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):

On-Prem Ubuntu 20.04 AMD64

cawoodm avatar Mar 18 '22 14:03 cawoodm

Same issue

jeeftor avatar Mar 22 '22 14:03 jeeftor

Found a workaround (tested with Docker Desktop v4.14.1 with WSL 2 backend):

  1. Ubuntu (WSL2): export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/proxy_root_ca.pem.
  2. Windows: set NODE_EXTRA_CA_CERTS=C:\Users\foobar\Certs\Proxy_Root_CA.crt.

Note: The cert must have PEM format.

tomasz-baran avatar Nov 24 '22 10:11 tomasz-baran