容器内证书问题排查[curl (60)]

问题产生背景: 使用curl在容器中请求https的地址时出现以下报错信息。

curl: (60) The certificate issuer's certificate has expired.  Check your system date and time.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

从问题的表现形式来看为证书过期。而在物理机中访问结果又显示正常。

再结合之前遇到的https证书失效结果

考虑是自己服务器的原因。

因此考虑容器的CA证书问题,准备执行以下命令更新证书

yum install ca-certificates  
update-ca-trust extract

因服务器安装openssl失败,因此将crt文件导出 /etc/pki/tls/certs/ca-bundle.crt 在本地执行openssl x509 -enddate -noout -in test.crt 可以发现的确是CA证书过期了

考虑的替代方案 ①更换基础镜像来更新ca证书 ②程序访问时默认信任

client := &http.Client{
   Transport: &http.Transport{
      TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
      DialContext: (&net.Dialer{
         Timeout:   time.Duration(timeout) * time.Millisecond,
         KeepAlive: time.Duration(viper.GetInt64("dsp.http.clients.keepalive")) * time.Second,
      }).DialContext,
      MaxIdleConns:        viper.GetInt("dsp.http.clients.maxIdleConns"),
      MaxIdleConnsPerHost: viper.GetInt("dsp.http.clients.maxIdleConnsPerHost"),
      IdleConnTimeout:     time.Duration(timeout) * time.Second,
      TLSHandshakeTimeout: time.Duration(timeout) * time.Millisecond,
   },
   Timeout: time.Duration(timeout) * time.Millisecond,
}

解决容器的yum源问题。

1、首先做好备份，如果更新失败时切换回去

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

有多个时通过下面命令备份

mv /etc/yum.repos.d/CentOS* /etc/yum.repos.d/CentOS-Base.repo.backup

2、进入yum源配置文件夹

cd /etc/yum.repos.d/

3、根据centos版本下载对应的新源

这里以CentOS7为例

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo 

4、yum makecache 生成缓存，会把新下载CentOS-Base.repo源生效。

更新时会报某个aliyun timeout，他会自动尝试阿里其他镜像，最后自己会用基础镜像，然后自动更新一部分。因为基础镜像过时了。

5、执行yum源更新命令

yum clean all
yum makecache

使用yum更新ca-certificates

更新ca证书,并重新发起请求,发现问题解决。