New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker pull failing with failed to parse certificate: x509: unhandled critical extension (based on #31949) #35152
Comments
Thanks for the detailed information and analysis @GarageDeveloper |
let's link this to the tracking PR for golang 1.9: #33892 |
Hello, |
Hi Marc (@mgjadoul), HTH. |
Hello,
Thanks for your message.
We effectivelly already solved this as you proposed, using mitmdump.
So for now docker --> mitmproxy --> cntlm --> bluecoat --> Internet....
Ideally I would have liked to used squid and replace cntlm + mitmdump....
but couldn't make it working.
I guess I need more time than what I have.
Thanks,
Marc
Le dim. 19 nov. 2017 à 20:58, Raphaël Enrici <notifications@github.com> a
écrit :
… Hi Marc ***@***.*** <https://github.com/mgjadoul>),
as mentioned earlier, you'll have to wait for #33892
<#33892> to be closed and a release of
moby built with golang 1.9.x.
Until that you may use another TLS interception between you and the
security equipment of your company (here your blucoat) and make so that
this one does not add the unwanted extension.
Something like this:
docker -> your proxy doing ssl interception and configured without
unwanted ext -> bluecoat with unwanted extensions -> internet.
I did not do it myself because we were allowed to bypass the equipment for
a while but that's what I would have ended up testing.
You can create transparent interception with some iptables rules and a
proxy like squid for example.
If you need help concerning this, contact me in private, I'll try to
manage to find time to put something in place you could use on your side.
HTH.
Raph
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#35152 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ARLbSCyArxzHo034yXV94Je5M-szTtn5ks5s4IiDgaJpZM4Pzyer>
.
|
Dear all,
I'm opening this one but it definitely follows #31949.
I add here informations and diagnostics we made while facing the problem.
Description
We get a "failed to parse certificate: x509: unhandled critical extension" error message when trying to pull images on public regitries.
The environment is RHEL 7 with all docker releases we tested (EE and CE) and in particular with: docker-ce-17.09.0. This is due to Name Constraints on the certificate generated by the local PKI (see further details below)
Steps to reproduce the issue:
docker pull centos
Describe the results you received:
And no image pulled at all ;)
Describe the results you expected:
We should have pulled the image without error. (curl works fine in the same situation).
Additional information you deem important (e.g. issue happens only occasionally):
We are in a situation where security team put in place SSL interception with a local PKI. Each https request is intercepted and certificates are generated on the fly for the sites we browse. The local PKI as a CA and a sub CA. The TLS certificate of the sub CA which appears in the TLS exchange includes "Name Constraints" as critical with something like this:
After research, it seems that docker for RHEL7 is built with golang 1.8 and that this version of golang does not support Name Constraints of type Excluded.
You can reproduce the exact same behavior by running the simple example of upstream golang and using any generated certificate with Name Constraints critical+excluded.
For example, this one to put in the certPEM in the golang example:
This has been fixed in golang 1.9 commit here
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
It's a golang issue and so we'd like to know if you plan to build docker on RHEL7 with golang 1.9 which solves the problem or if you could ask RH to backport commit d1211b9 to golang 1.8 as included in RH so that you rebuild docker with this particular version.
Until that we can't see any other option than bypassing SSL interception which is not always possible in companies with security in mind.
Best and thank you for the good work!
The text was updated successfully, but these errors were encountered: