copacetic icon indicating copy to clipboard operation
copacetic copied to clipboard

Published 20 hours ago • verified publisher icon project-copacetic

[BUG] failed to verify certificate when patch image

Open y4ney opened this issue 1 year ago • 0 comments

Version of copa

v0.2.0-17-g4d03dd1

Expected Behavior

fix the os vuln in image successfully

Actual Behavior

failed to patch image because copa can't request registry

Steps To Reproduce

  1. On Ubuntu 22.04 x86_64 environment.And docker version is 23.0.6
$ lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04 LTS
Release:	22.04
Codename:	jammy

$ docker version

Client: Docker Engine - Community
 Version:           23.0.6
 API version:       1.42
 Go version:        go1.19.9
 Git commit:        ef23cbc
 Built:             Fri May  5 21:18:13 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.6
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.9
  Git commit:       9dbdbd4
  Built:            Fri May  5 21:18:13 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
  1. I have set the insecure registry like this,So I can pull image from registry successfully
$ cat /etc/docker/daemon.json

{
   "insecure-registries":["https://192.168.1.94","192.168.1.94:443"]
}
  1. Run copa patch -i 192.168.1.94:443/deploy/my_image:v1.1 -r my_image_v1.1.json -t v1.1-patched --debug to patch image
  2. See error:failed to verify certificate
DEBU[0000] updates to apply: &{alpine 3.17.0 amd64 [{libcom_err 1.46.6-r0} {libcrypto3 3.0.7-r2} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r1} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r0} {libcrypto3 3.0.8-r2} {libcrypto3 3.0.8-r3} {libcrypto3 3.0.8-r4} {libssl3 3.0.7-r2} {libssl3 3.0.8-r0} {libssl3 3.0.8-r0} {libssl3 3.0.8-r0} {libssl3 3.0.8-r0} {libssl3 3.0.8-r0} {libssl3 3.0.8-r0} {libssl3 3.0.8-r1} {libssl3 3.0.8-r0} {libssl3 3.0.8-r0} {libssl3 3.0.8-r2} {libssl3 3.0.8-r3} {libssl3 3.0.8-r4}]}
DEBU[0000] resolving                                     host="192.168.1.94:443"
DEBU[0000] do request                                    host="192.168.1.94:443" request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=buildkit/0.0.0+unknown request.method=HEAD url="https://192.168.1.94:443/v2/deploy/my_image/manifests/v1.1"
INFO[0000] trying next host                              error="failed to do request: Head \"https://192.168.1.94:443/v2/deploy/my_image/manifests/v1.1\": tls: failed to verify certificate: x509: certificate signed by unknown authority" host="192.168.1.94:443"
WARN[0000] --debug specified, working folder at /tmp/copa-3163234201 needs to be manually cleaned up
Error: failed to do request: Head "https://192.168.1.94:443/v2/deploy/my_image/manifests/v1.1": tls: failed to verify certificate: x509: certificate signed by unknown authority

y4ney avatar May 15 '23 02:05 y4ney