我们的服务器通过代理访问互联网。当我尝试运行诸如
之类的拉取命令时sudo docker run -t -i ubuntu:14.04 /bin/bash
我收到以下错误:
Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse
certificate from server: x509: negative serial number
wget命令wget -S -d -O - https://get.docker.io
产生以下输出:
将--output-document(outputdocument)设置为 - 创建DEBUG输出 通过linux-gnu上的Wget 1.13.4。
URI encoding =
UTF-8' URI encoding =
UTF-8' --2014-08-27 17:13:46-- https://get.docker.io/连接到:...连接。创建套接字3.释放 0x00000000016829f0(新引用计数0)。删除未使用的 0x00000000016829f0。---请求开始--- CONNECT get.docker.io:443 HTTP / 1.1 User-Agent:Wget / 1.13.4(linux-gnu)代理授权:基本 Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ ==
---请求结束---代理回复:[HTTP / 1.1 200建立连接日期:2014年8月27日星期三11:49:52 GMT年龄:0 Via:1.0 xaahshshhds
]启动SSL握手。握手成功;连接插座3 到SSL处理0x00000000016831c0证书:subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io 发行人: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany 错误:无法验证发出的get.docker.io证书
/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use
- 不检查证书”。关闭3 / SSL 0x00000000016831c0
请告诉我如何解决这个问题。
修改
我现在已禁用此IP段的代理但我仍然遇到相同的错误。
命令:wget -S -d -O - https://get.docker.io
现在得到以下输出:
Setting --output-document (outputdocument) to -
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-09-04 11:26:12-- https://get.docker.io/
Resolving get.docker.io (get.docker.io)... 162.242.195.77
Caching get.docker.io => 162.242.195.77
Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected.
Created socket 3.
Releasing 0x00000000022d8fd0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0
certificate:
subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer: /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
X509 certificate successfully verified and matches host get.docker.io
---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: get.docker.io
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 503 Service Unavailable
Server: nginx/1.7.1
Date: Thu, 04 Sep 2014 06:03:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
---response end---
HTTP/1.1 503 Service Unavailable
Server: nginx/1.7.1
Date: Thu, 04 Sep 2014 06:03:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Registered socket 3 for persistent reuse.
Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
] done.
2014-09-04 11:26:13 ERROR 503: Service Unavailable.
答案 0 :(得分:2)
subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io
issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
您的公司中的代理看起来像是使用SSL拦截来检查SSL流量,这意味着您获得了由公司的代理CA签署的证书,而不是原始证书。看起来您的系统不信任此代理CA,因此验证失败。
我建议您与防火墙管理员联系,了解如何处理问题。他们会为SSL检查添加例外,或者他们会告诉您需要在系统中导入哪个证书作为信任。
答案 1 :(得分:0)
对于使用Go 1.6+编译的任何Docker,都应该修复此问题,请参阅:https://github.com/golang/go/commit/a0ea93dea5f5741addc8c96b7ed037d0e359e33f。