check_docker icon indicating copy to clipboard operation
check_docker copied to clipboard

Published 20 hours ago verified publisher icon timdaman

Secure Connection

Open alatdev opened this issue 7 years ago • 8 comments

Hi,

I can't use check_docker with my secure docker daemon. I need to use client certificates, but where do I have to store them? Are there any command line arguments or environment variables?

./check_docker --secure-connection host:port --health
Traceback (most recent call last):
  File "/usr/lib64/python3.4/urllib/request.py", line 1183, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "/usr/lib64/python3.4/http/client.py", line 1137, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python3.4/http/client.py", line 1182, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python3.4/http/client.py", line 1133, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python3.4/http/client.py", line 963, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.4/http/client.py", line 898, in send
    self.connect()
  File "/usr/lib64/python3.4/http/client.py", line 1287, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python3.4/ssl.py", line 362, in wrap_socket
    _context=self)
  File "/usr/lib64/python3.4/ssl.py", line 580, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.4/ssl.py", line 807, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./check_docker", line 762, in perform_checks
    containers = get_containers(args.containers, args.present)
  File "./check_docker", line 256, in get_containers
    containers_list, _ = get_url(daemon + '/containers/json?all=1')
  File "/usr/lib64/python3.4/functools.py", line 472, in wrapper
    result = user_function(*args, **kwds)
  File "./check_docker", line 204, in get_url
    response = better_urllib_get.open(url, timeout=timeout)
  File "/usr/lib64/python3.4/urllib/request.py", line 464, in open
    response = self._open(req, data)
  File "/usr/lib64/python3.4/urllib/request.py", line 482, in _open
    '_open', req)
  File "/usr/lib64/python3.4/urllib/request.py", line 442, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.4/urllib/request.py", line 1226, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/usr/lib64/python3.4/urllib/request.py", line 1185, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:600)>
UNKNOWN: Exception raised during check': URLError(SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:600)'),)

alatdev avatar Apr 09 '18 14:04 alatdev

I suspect the issue is with your system level certificate store. Python uses Openssl which is generally installed and configured by your OS vendor. Could you try installing the remote server's cert in your cert store? Googling 'commandline add certificate to " usually is helpful.

Sorry, my week is packed so it may be a few days before I can write anything more detailed.

timdaman avatar Apr 09 '18 17:04 timdaman

Adding the private CA cert to the system store could/should help resolve the Docker (server) cert, but I think he's running into what I was looking for also -- a way to supply a client cert/key pair for authentication. There is some info at the end of this page: https://docs.docker.com/engine/security/https/#other-modes

But basically supplying the equivalent of:

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=<some-host>:2376 <some-command>...

or the curl use of the api..

curl https://<some-host>:2376/images/json --cert ~/.docker/cert.pem --key ~/.docker/key.pem --cacert ~/.docker/ca.pem

Basically for Docker daemons that require server and client verification. Not sure if this command would use client certs from some keyring or something ?

I read you're busy.. no rush, just curious also :)

Codelica avatar Apr 10 '18 16:04 Codelica

Sorry, when I initially read I hadn't caught onto the client cert detail. I will see if there is a sensible way of doing that.

timdaman avatar Apr 20 '18 02:04 timdaman

Hi, I integrate TLS certificate files for secure Docker daemon socket in pull request #44

osfrance avatar Jul 04 '18 08:07 osfrance

If you are interested, I change the script check_swarm.py to integrate TLS certificate files, see pull request #44

osfrance avatar Jul 04 '18 09:07 osfrance

@osfrance works in my environment.

alatdev avatar Oct 22 '18 12:10 alatdev

I ran into the same problem - anyone able to help?

Docjones avatar Feb 06 '19 08:02 Docjones

I was also facing the similar kind of issue, when used curl with certs it is working but through the script facing the same issue. I would suspect certs are not reading properly when making https request

Nagaraj4775 avatar May 09 '20 14:05 Nagaraj4775