X509解析错误,“负序列号”同时拉出存储库

时间:2014-08-27 12:10:53

标签: ssl docker x509

我们的服务器通过代理访问互联网。当我尝试运行诸如

之类的拉取命令时
sudo docker run -t -i ubuntu:14.04 /bin/bash

我收到以下错误:

Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse
    certificate from server: x509: negative serial number

wget命令wget -S -d -O - https://get.docker.io产生以下输出:

  

将--output-document(outputdocument)设置为 - 创建DEBUG输出   通过linux-gnu上的Wget 1.13.4。

     

URI encoding = UTF-8' URI encoding = UTF-8'   --2014-08-27 17:13:46-- https://get.docker.io/连接到:...连接。创建套接字3.释放   0x00000000016829f0(新引用计数0)。删除未使用的   0x00000000016829f0。

     

---请求开始--- CONNECT get.docker.io:443 HTTP / 1.1 User-Agent:Wget / 1.13.4(linux-gnu)代理授权:基本   Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ ==

     

---请求结束---代理回复:[HTTP / 1.1 200建立连接日期:2014年8月27日星期三11:49:52 GMT年龄:0 Via:1.0   xaahshshhds

     

]启动SSL握手。握手成功;连接插座3   到SSL处理0x00000000016831c0证书:subject:   /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io   发行人:   /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany   错误:无法验证发出的get.docker.io证书   /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use - 不检查证书”。关闭3 / SSL   0x00000000016831c0

请告诉我如何解决这个问题。

修改

我现在已禁用此IP段的代理但我仍然遇到相同的错误。 命令:wget -S -d -O - https://get.docker.io现在得到以下输出:

Setting --output-document (outputdocument) to -
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
--2014-09-04 11:26:12--  https://get.docker.io/
Resolving get.docker.io (get.docker.io)... 162.242.195.77
Caching get.docker.io => 162.242.195.77
Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected.
Created socket 3.
Releasing 0x00000000022d8fd0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0
certificate:
  subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
  issuer:  /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
X509 certificate successfully verified and matches host get.docker.io

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: get.docker.io
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 503 Service Unavailable
Server: nginx/1.7.1
Date: Thu, 04 Sep 2014 06:03:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache

---response end---

  HTTP/1.1 503 Service Unavailable
  Server: nginx/1.7.1
  Date: Thu, 04 Sep 2014 06:03:28 GMT
  Content-Type: text/html
  Transfer-Encoding: chunked
  Connection: keep-alive
  Cache-Control: no-cache
Registered socket 3 for persistent reuse.
Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

] done.
2014-09-04 11:26:13 ERROR 503: Service Unavailable.

2 个答案:

答案 0 :(得分:2)

subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io 
issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany

您的公司中的代理看起来像是使用SSL拦截来检查SSL流量,这意味着您获得了由公司的代理CA签署的证书,而不是原始证书。看起来您的系统不信任此代理CA,因此验证失败。

我建议您与防火墙管理员联系,了解如何处理问题。他们会为SSL检查添加例外,或者他们会告诉您需要在系统中导入哪个证书作为信任。

答案 1 :(得分:0)

对于使用Go 1.6+编译的任何Docker,都应该修复此问题,请参阅:https://github.com/golang/go/commit/a0ea93dea5f5741addc8c96b7ed037d0e359e33f