New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hostname in server cert doesn't contain internal IP #13922

Open
rhuss opened this Issue Jun 13, 2015 · 4 comments

Comments

Projects
None yet
5 participants
@rhuss
Copy link
Contributor

rhuss commented Jun 13, 2015

When I try to contact the docker host from within a container via the its gateway IP obtained via

 host=$(ip route show 0.0.0.0/0 | grep -Eo 'via \S+' | awk '{print $2}');

and using SSL I get this error message

hostname in certificate didn't match: <172.17.42.1> != <127.0.0.1> OR 
<10.0.2.15> OR <192.168.59.103>

I'm not so deep into the docker network stack, but couldn't it be possible to include the internal gateway IPs into the generated server certificate as well ?

@rhuss

This comment has been minimized.

Copy link
Contributor

rhuss commented Jun 13, 2015

  • Docker version: 1.6.2
  • Docker info:
Containers: 12
Images: 274
Storage Driver: aufs
 Root Dir: /mnt/sda1/var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 298
 Dirperm1 Supported: true
Execution Driver: native-0.2
Kernel Version: 4.0.2-boot2docker
Operating System: Boot2Docker 1.6.1 (TCL 5.4); master : 43209d4 - Thu May  7 22:06:28 UTC 2015
CPUs: 8
Total Memory: 1.957 GiB
Name: boot2docker
ID: FFSP:JKJX:IZYG:AP4Y:E2JU:K5G2:YUOZ:C7CR:SJYA:NN74:6Y45:IB3W
Debug mode (server): true
Debug mode (client): false
Fds: 19
Goroutines: 34
System Time: Sat Jun 13 00:01:45 UTC 2015
EventsListeners: 0
Init SHA1: 2dabfc43e5f856a0712787a6ff78ceaf791cc9e7
Init Path: /usr/local/bin/docker
Docker Root Dir: /mnt/sda1/var/lib/docker
Username: jolokia
Registry: [https://index.docker.io/v1/]
  • Additional Info: Docker is running in boot2docker

Steps to reproduce:

  • Enabcle TCP listening on the docker daemon and SSL
  • Start a container with an internal docker client (e.g. jolokia/docker-reveal) and mount your client certs as volumes (e.g. docker run -ti -v ~/.boot2docker/certs/boot2docker-vm/:/certs jolokia/docker-reveal sh)
  • Run
host=$(ip route show 0.0.0.0/0 | grep -Eo 'via \S+' | awk '{print $2}');
export DOCKER_HOST=tcp://${host}:2376
export DOCKER_CERT_PATH=/path/to/certs
export DOCKER_TLS_VERIFY=1
  • Then try a docker command within this container (e.g. like docker images)
  • Result:
/slides # docker images
FATA[0000] An error occurred trying to connect: Get https://172.17.42.1:2376/v1.18/images/json: 
x509: certificate is valid for 127.0.0.1, 10.0.2.15, 192.168.59.103, not 172.17.42.1

I would expect that the internal ip 172.17.42.1 would be included in the server cert that the docker daemon uses.

@jamshid

This comment has been minimized.

Copy link
Contributor

jamshid commented Jul 26, 2015

Agreed, would be great if there were a docker client option like DOCKER_TLS_VERIFY but it should not validate that the hostname/ip matches the cert. I know that's usually not a good idea but seems okay here because the client is providing the cert that is expected, so it's not susceptible to MitM.

In my case I'm trying to configure a jenkins container to use the docker server on which it's running. Would simply share /var/run/docker.sock to the container, but that doesn't work with the jenkins user for some strange reason. And I don't want to change the docker server configuration (https://issues.jenkins-ci.org/browse/JENKINS-24338).

@ChrisPearce

This comment has been minimized.

Copy link

ChrisPearce commented Aug 31, 2015

It would be very helpful if the internal ip 172.17.42.1 was included in the server cert

@Sigurthorb

This comment has been minimized.

Copy link

Sigurthorb commented Jan 6, 2016

Hey, I think this is connected to my issue #19112 can you verify that this is the issue that I am having?
If i am reading this correctly though it seems that this is the other way around, my cert is registered on the internal static ip of my server instead of my host name(external network ID)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment