【发布时间】:2020-07-27 17:18:27
【问题描述】:
我正在尝试构建一些最小的容器映像(基于 systemd-container 中的portablectl,它基本上使用 chroot 进行容器化)。我遇到了一些程序无法发出 HTTPS 请求的问题。演示的最简单示例是 curl,我想修复 curl 将修复其他应用程序。断开连接似乎与 curl 查找根证书或 CA 捆绑包有关。
以下命令:
sudo chroot /etc/portables/network /usr/bin/curl -Huser-agent:example/1.0 https://www.google.com/search?q=foo
...结果:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
使用 Ubuntu 的打包工具将 curl 二进制文件“安装”到 chroot,并且我已将 Ubuntu 根证书从主机环境中的 /etc/ssl/certs/ca-certificates.crt 复制到 chroot。
这本质上是我运行以将 curl 和其他一些网络相关工具(和 lib 依赖项)安装到 chroot:
apt-get -y install --reinstall \
bind9-host ca-certificates curl dnsutils \
iputils-ping \
libasn1-8-heimdal \
libbind9-161 libbsd0 libc6 libcap2 libcom-err2 libdns1104 libffi6 \
libgcc1 \
libgcrypt20 libgmp10 libgnutls30 libgpg-error0 \
libgssapi-krb5-2 libgssapi3-heimdal \
libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal \
libhogweed4 libhx509-5-heimdal \
libicu63 libidn2-0 \
libirs161 \
libisc1100 libisccfg163 \
libjson-c4 libkeyutils1 libk5crypto3 libkrb5-3 libkrb5-26-heimdal \
libkrb5support0 \
libldap-2.4-2 libldap-common liblwres161 liblzma5 libnettle6 \
libnghttp2-14 libp11-kit0 \
libpsl5 libroken18-heimdal librtmp1 \
libsasl2-2 libsqlite3-0 libssh-4 libssl1.1 \
libstdc++6 \
libtasn1-6 libunistring2 libwind0-heimdal libxml2 \
netcat-openbsd zlib1g
echo nameserver 127.0.0.53 >> /etc/resolv.conf
echo options edns0 >> /etc/resolv.conf
使用 curl -k 选项按预期工作;它会忽略证书错误配置并成功发出 HTTPS 请求。
另外,如果我明确设置--cafile /etc/ssl/certs/ca-certificates.crt,它工作正常。
但如果我运行curl -v,我会看到以下内容:
* Trying 2607:f8b0:4007:80c::2004:443...
* TCP_NODELAY set
* Connected to www.google.com (2607:f8b0:4007:80c::2004) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
所以你可以看到它有 CApath /etc/ssl/certs,但是一个空的 CAfile。
【问题讨论】:
-
难道 curl 对 /etc/ssl/certs 有执行权限但没有读取权限,这意味着它能够打开文件夹中的文件,但无法读取文件夹本身?如果你运行
sudo chroot /etc/portables/network /usr/bin/ls /etc/ssl/certs,你会得到什么?