protonvpn-docker
protonvpn-docker copied to clipboard
Published
20 hours ago •
tprasadtp
tprasadtp
[BUG] - refresh ca certificates
Version of protonvpn-docker
5.0.1
Details about Feature/Enhancement
As I keep seeing this error message: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131) I had to run in the container update-ca-certificates --fresh to stop the script from re-connecting after every /usr/bin/healtheck run.
Original trace:
2021-10-07 16:29:26+00:00 [INFO ] PROTONVPN_CHECK_INTERVAL is set to #180
2021-10-07 16:29:26+00:00 [INFO ] Reconnect threshold is #3
2021-10-07 16:29:26+00:00 [INFO ] Checking orphaned openvpn process
2021-10-07 16:29:26+00:00 [INFO ] This appears to be a fresh start!
2021-10-07 16:29:26+00:00 [NOTICE] Connecting to server: NL#1
Connecting to NL#1 via UDP...
Connected!
Traceback (most recent call last):
File "/usr/lib/python3.8/urllib/request.py", line 1354, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/lib/python3.8/http/client.py", line 1252, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1298, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1247, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1007, in _send_output
self.send(msg)
File "/usr/lib/python3.8/http/client.py", line 947, in send
self.connect()
File "/usr/lib/python3.8/http/client.py", line 1421, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/healthcheck", line 59, in <module>
with urllib.request.urlopen(ip_resp_request) as ip_response:
File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.8/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/usr/lib/python3.8/urllib/request.py", line 542, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 1397, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File "/usr/lib/python3.8/urllib/request.py", line 1357, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
2021-10-07 16:29:33+00:00 [ERROR ] Healthcheck #1 Failed!
2021-10-07 16:29:33+00:00 [ERROR ] Connected to # instead of #
current log:
2021-10-07 16:29:33+00:00 [ERROR ] Healthcheck #1 Failed!
2021-10-07 16:29:33+00:00 [ERROR ] Connected to # instead of #
2021-10-07 16:32:34+00:00 [OK ] VPN is running and healthy
2021-10-07 16:35:34+00:00 [OK ] VPN is running and healthy
Code of Conduct & PII Redaction
- [X] I agree to follow this project's Code of Conduct
- [X] I have removed any sensitive personally identifying information(PII) and secrets from in this issue report.
Can you please provide output of curl -vvvv "$PROTONVPN_IPCHECK_ENDPOINT"
root@86e818bd2c88:/# curl -vvvv $PROTONVPN_IPCHECK_ENDPOINT
* Trying 104.21.40.132:443...
* TCP_NODELAY set
* Connected to ip.prasadt.workers.dev (104.21.40.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: May 22 00:00:00 2021 GMT
* expire date: May 21 23:59:59 2022 GMT
* subjectAltName: host "ip.prasadt.workers.dev" matched cert's "*.prasadt.workers.dev"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1d16948)
> GET / HTTP/2
> Host: ip.prasadt.workers.dev
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Fri, 08 Oct 2021 17:04:41 GMT
< content-type: text/plain;charset=UTF-8
< content-length: 12
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z4oLUqVCG%2BzIq8CIVPadgb8c6mCRgUZKxtMUz8tyk7rt2pFVW48K814Tr8loj%2Bo8Vw4ITjtsM%2FUuYQjfaUXUgNTsOighuAbvyiT7LO36Za85T71j%2FIoKdrfVodDEOj%2F9qxjVSj%2BpyKYv"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 69b0f3207b8a0132-AMS
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* Connection #0 to host ip.prasadt.workers.dev left intact
* ```
root@86e818bd2c88:/# curl -vvvv $PROTONVPN_IPCHECK_ENDPOINT
* Trying 104.21.40.132:443...
* TCP_NODELAY set
* Connected to ip.prasadt.workers.dev (104.21.40.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: May 22 00:00:00 2021 GMT
* expire date: May 21 23:59:59 2022 GMT
* subjectAltName: host "ip.prasadt.workers.dev" matched cert's "*.prasadt.workers.dev"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1d16948)
> GET / HTTP/2
> Host: ip.prasadt.workers.dev
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Fri, 08 Oct 2021 17:04:41 GMT
< content-type: text/plain;charset=UTF-8
< content-length: 12
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z4oLUqVCG%2BzIq8CIVPadgb8c6mCRgUZKxtMUz8tyk7rt2pFVW48K814Tr8loj%2Bo8Vw4ITjtsM%2FUuYQjfaUXUgNTsOighuAbvyiT7LO36Za85T71j%2FIoKdrfVodDEOj%2F9qxjVSj%2BpyKYv"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 69b0f3207b8a0132-AMS
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* Connection #0 to host ip.prasadt.workers.dev left intact
While manually running `/usr/bin/healthcheck' right away I still get:
62.112.9.166root@86e818bd2c88:/# /usr/bin/healthcheck
Traceback (most recent call last):
File "/usr/lib/python3.8/urllib/request.py", line 1354, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/lib/python3.8/http/client.py", line 1252, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1298, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1247, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1007, in _send_output
self.send(msg)
File "/usr/lib/python3.8/http/client.py", line 947, in send
self.connect()
File "/usr/lib/python3.8/http/client.py", line 1421, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/healthcheck", line 59, in <module>
with urllib.request.urlopen(ip_resp_request) as ip_response:
File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.8/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/usr/lib/python3.8/urllib/request.py", line 542, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 1397, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File "/usr/lib/python3.8/urllib/request.py", line 1357, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
After running udpate-ca-certificates and protonvp c --cc=NL healthcheck returns "nothing" and curl -vvvv .... return this, which seems to me to the same response (so curl is not effected ?):
root@86e818bd2c88:/# curl -vvvv $PROTONVPN_IPCHECK_ENDPOINT
* Trying 104.21.40.132:443...
* TCP_NODELAY set
* Connected to ip.prasadt.workers.dev (104.21.40.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: May 22 00:00:00 2021 GMT
* expire date: May 21 23:59:59 2022 GMT
* subjectAltName: host "ip.prasadt.workers.dev" matched cert's "*.prasadt.workers.dev"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xf69948)
> GET / HTTP/2
> Host: ip.prasadt.workers.dev
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Fri, 08 Oct 2021 17:13:03 GMT
< content-type: text/plain;charset=UTF-8
< content-length: 12
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3wcbrKtyU3ZOoq0tEovpHQSbOAAIUr9T9%2B16gpxjOY86xAcbGpBGgf36cpbdWYXHWXNk%2BwrqlJ%2FJkn7sdPVxkwlUyHpX2JXWGCst1vkgYWFgn6tOxwMrf1YGuy9IoleozVwlkI2N%2ByK%2B"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 69b0ff61e8624ec7-FRA
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* Connection #0 to host ip.prasadt.workers.dev left intact
* ```
Can you try with 5.0.2-beta.1 release an let me know if it solves the problem?
Hi. Still seeing this:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 70-vpn-setup: executing...
2021-10-17 20:57:35+00:00 [OK ] OK! Check URL is secure
2021-10-17 20:57:36+00:00 [OK ] Healthcheck endpoint returned 200
2021-10-17 20:57:36+00:00 [NOTICE] Basic Plan
2021-10-17 20:57:36+00:00 [NOTICE] Protocol: UDP
2021-10-17 20:57:36+00:00 [NOTICE] Connecting to server: NL#1
2021-10-17 20:57:36+00:00 [INFO ] Validating CIDRs
2021-10-17 20:57:36+00:00 [INFO ] CIDR 10.0.0.0/24 is valid
2021-10-17 20:57:36+00:00 [INFO ] Enabling DNS leak protection.
2021-10-17 20:57:36+00:00 [NOTICE] Following CIDRs will be excluded from VPN 10.0.0.0/24
2021-10-17 20:57:36+00:00 [INFO ] Creating folders
2021-10-17 20:57:36+00:00 [INFO ] Set file permissions
2021-10-17 20:57:36+00:00 [INFO ] Prefetch server list
2021-10-17 20:57:38+00:00 [INFO ] Generating config file
2021-10-17 20:57:38+00:00 [INFO ] Generate split-tunnel config file
2021-10-17 20:57:38+00:00 [INFO ] Writing credentials file
2021-10-17 20:57:38+00:00 [INFO ] Restrict credentials file
[cont-init.d] 70-vpn-setup: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2021-10-17 20:57:38+00:00 [INFO ] PROTONVPN_CHECK_INTERVAL is set to #180
2021-10-17 20:57:38+00:00 [INFO ] Reconnect threshold is #3
2021-10-17 20:57:38+00:00 [INFO ] Checking orphaned openvpn process
2021-10-17 20:57:38+00:00 [INFO ] This appears to be a fresh start!
2021-10-17 20:57:38+00:00 [NOTICE] Connecting to server: NL#1
Connecting to NL#1 via UDP...
Connected!
Traceback (most recent call last):
File "/usr/lib/python3.8/urllib/request.py", line 1354, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/lib/python3.8/http/client.py", line 1252, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1298, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1247, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.8/http/client.py", line 1007, in _send_output
self.send(msg)
File "/usr/lib/python3.8/http/client.py", line 947, in send
self.connect()
File "/usr/lib/python3.8/http/client.py", line 1421, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/healthcheck", line 64, in <module>
with urllib.request.urlopen(ip_resp_request) as ip_response:
File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.8/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/usr/lib/python3.8/urllib/request.py", line 542, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
result = func(*args)
File "/usr/lib/python3.8/urllib/request.py", line 1397, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File "/usr/lib/python3.8/urllib/request.py", line 1357, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
2021-10-17 20:57:42+00:00 [ERROR ] Healthcheck #1 Failed!
I cant reproduce this issue. Can you please provide more details like docker version, docker runtime, host architecture host os and whether you are running this on a nas. In the meantime override entrypoint script with
#!/usr/bin/bash
set -eo pipefail
update-ca-certificates --fresh
init
Hello. I've run into this exact problem and found a fix on stackoverflow.
SOLUTION:
Basically, adding --env SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt fixes the issue.
If you're using docker-compose, then add SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt to protonvpn's environment.
Thank you for your work.
I'm using the latest release from github. Docker version 20.10.5+dfsg1, build 55c4c88, Docker Compose version v2.1.1 on Linux raspberrypi 5.10.63-v7+ #1459 SMP Wed Oct 6 16:41:10 BST 2021 armv7l GNU/Linux
10x. Checking, BTW, always had this, which worked with docker-compose up but not on system reboot when services started automatically by the docker daemon.
SSL_CERT_DIR: /etc/ssl/certs