agent icon indicating copy to clipboard operation
agent copied to clipboard

Published 20 hours ago verified publisher icon portainer

Portainer edge agent does not respect custom rootca used by portainer server. And EDGE_INSECURE_POLL does not ignore the cert issue

Open N0K0 opened this issue 3 years ago • 2 comments

Hi! I got an wierd issue with the edge agent.

What i can see:

2021/08/30 07:15:41 [ERROR] [internal,edge,stack] [message: an error occured during stack management] [error: Get https://osl-portainer1:9000/api/endpoints/15/edge/stacks/1: x509: certificate signed by unknown authority]
2021/08/30 07:15:41 [ERROR] [internal,edge,poll] [message: an error occured during short poll] [error: Get https://osl-portainer1:9000/api/endpoints/15/edge/stacks/1: x509: certificate signed by unknown authority]

What i expected:

That portainer respects the cert bundle added to /usr/local/share/ca-certificates/ As per this SO post https://stackoverflow.com/questions/40051213/where-is-golang-picking-up-root-cas-from

Or that EDGE_INSECURE_POLL would make us ignore the cert.

#Misc

Docker-compose file:

version: '3.6'

services:
  agent:
    image: portainer_agent:latest
    hostname: portainer_agent
    container_name: portainer_agent
    environment:
      EDGE: '1'
      EDGE_ID: ${EDGE_ID:?}
      EDGE_KEY: ${EDGE_KEY:?}
      CAP_HOST_MANAGEMENT: '1'
      EDGE_INSECURE_POLL: '1'
      LOG_LEVEL: 'debug'
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
      - /:/host
      - portainer_data:/data
      
    restart: always
      
volumes:
  portainer_data:

Dockerfile:

ARG image_tag
FROM portainer/agent:${image_tag:-alpine}

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs/

ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ADD ca-certificates.crt /usr/local/share/ca-certificates/

Did not work without the ENV settings either

N0K0 avatar Aug 30 '21 08:08 N0K0

Hi, that might actually be solved in one of our preview versions. Please give it a try by using the images portainerci/agent:kubernetes-edge-stacks and portainerci/portainer:pr5276 and let us know how it's working. Note that this is a development build and should not be used in a production environment.

huib-portainer avatar Aug 30 '21 21:08 huib-portainer

Hey. Have tried swapping out the portainer server as suggested. Fixed the ports that has changed++, i still get the same issue

Running it with this command to test.

docker run -d -p 443:9443 -p 9433:9433 -p 9000:9443 -p 8000:8000 --name portainer_pr --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /etc/pki/tls/private/:/keys -v /etc/pki/tls/certs/:/certs -v portainer_data:/data portainerci/portainer:pr5276 --ssl --sslcert /certs/wild.crt --sslkey /keys/wild.key

The agent has also been swapped

FROM portainerci/agent:kubernetes-edge-stacks

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs/

# Can't use curl++ since its a scratch container
ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ADD ca-certificates.crt /usr/local/share/ca-certificates/

Any more logs i should provide for example? :)

N0K0 avatar Aug 31 '21 10:08 N0K0