New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker-compose fails with ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) #38
Comments
I'm seeing the same thing. |
It seems that the certificates used in Docker Container Host Endpoint and the one saved in ~/.docker/ folder are different. The certificate stored in Docker Container Host Endpoint is saved in ~/.dockercerts/ by task and used for execution. Can you verify if these certificates are same. ~/.dockercerts/ gets deleted once the task execution completes. You can take the certificate while task is executing to validate. |
Hi @jitekuma - I only have one set of certs. And I can't see how they can be different because |
I am having the same issue.
|
@jitendra Kumar<mailto:jikuma@microsoft.com>
From: SemionPar [mailto:notifications@github.com]
Sent: Tuesday, March 7, 2017 3:11 PM
To: Microsoft/vsts-docker <vsts-docker@noreply.github.com>
Cc: Roopesh Nair <Roopesh.Nair@microsoft.com>; Mention <mention@noreply.github.com>
Subject: Re: [Microsoft/vsts-docker] docker-compose fails with ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) (#38)
I am having the same issue.
DOCKER_TLS_VERIFY = "1"
DOCKER_HOST = "tcp://some.host:2376"
DOCKER_CERT_PATH = "/home/xyz/.docker"
docker --tlsverify ps executes just fine, while docker-compose --tlsverify up -d --force-recreate gives me an error:
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2Fvsts-docker%2Fissues%2F38%23issuecomment-284670810&data=02%7C01%7Croopesh.nair%40microsoft.com%7C843e0fe189f145b1685808d4653e090b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244764492618848&sdata=aZ95znOJbxRBE3HA36WgKwKQwsDnHC6bL0n03XInxwY%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABTpcA67RQfPe2akbJj5U0rqc0tJycXVks5rjSYdgaJpZM4MR4K2&data=02%7C01%7Croopesh.nair%40microsoft.com%7C843e0fe189f145b1685808d4653e090b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636244764492618848&sdata=lNeJt4uAPVfEBz%2BwMu64fEYYFgJaoqutyIoyTryScGE%3D&reserved=0>.
|
I've tried to update python and install |
@colindembovsky You dont need to pass --tls or --tlsverify option in the docker-config path as the task already sets DOCKER_TSL_VERIFY environment varaible. I debugged docker-compose and docker-py library and verified that if you pass any flag --tls or --tlsverify flag it tries to create tslConfig object out of options and not from environment and hence either ca_cert object or verify is none in TFSConfig file. You can use the task without using these flags. |
@jitekuma I'm not setting the env variables during the build/release - I just noted that I can repro the task behavior if I do so locally. I'm still not sure if this is an issue with the docker task or the Azure cli that created the certificates in the first place. Bottom line: if I pass the certs in I get a successful connection - when I use env variables, I get failures. Here's what happens when I run some docker commands from my machine: Docker commands succeed when passing
Docker commands fail when using env vars:
Docker-compose succeeds when passing in certs:
Docker-compose fails when using env vars:
|
@colindembovsky You also need to set DOCKER_CERT_PATH environment variable. DOCKER_TLS_VERIFY = "1" then simply do docker-compose ps this will work or specify all the tls parameter like docker-compose -H $dockerHost --tls --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/cert.pem --tlskey ~/.docker/key.pem ps |
@jitekuma - the default is correct in my case (
I think my point is that I think the task should be passing the varialbes into the command rather than relying on the env vars - especially given that passing the certs in works reliably while using the env settings appears to be flaky for some reason. |
@colindembovsky now i think this is a certificate issue can you put --tlsverify option in docker-compose docker-compose -H $dockerHost --tls --tlsverify --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/cert.pem --tlskey ~/.docker/key.pem ps I think this should also fail. Let me know the output. |
@jitekuma Yes! It failed indeed (same as the error with docker):
The thing is that I didn't create the certs by hand - I used |
No. I dont think so. Might be due to some command ran during development messed up with you certificate. |
Hmm I didn't do anything after creating the dockerHost. I think this might be the issue:
I'm going to delete this host, clean the certs folder and run the |
@SemionPar in docker-compose command you can not mix environment variable and command option. You can specify setting in env variable and then just use docker-compose ps. The connection will be secured with TLS protocol if DOCKER_TLS_VERIFY variable is set. |
@colindembovsky also please check the path where certificates are created in the log, usually its different than ~/docker . |
I figured out what the problem was - I used |
I have installed the docker toolbox and I am facing the same problem when try to build an image. It shows me the following error message: "ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:661)" |
Same here: @ashish2rathi are you on windows? |
@amandoabreu - yes, I am using windows 7 |
I was getting this on windows ERROR: SSL error: HTTPSConnectionPool(host='192.168.99.101', port=2376): Max retries exceeded with url: /v1.30/info (Caused by SSLError(SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:727)'),)) export COMPOSE_TLS_VERSION=TLSv1_2 fixed the issue |
this one did it for me docker-machine regenerate-certs --client-certs |
(Logging here as per @RoopeshNair on microsoft/VSTS-Docker-Preview#14)
I have created a release with a several docker tasks. I have an endpoint to a docker host machine. I am able to run docker commands successfully (like docker run) against the docker host. However, the
docker-compose up
commands fail with ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661). (In the task I'm using the "Run Services" action).I can repro this on my client machine by running
docker-compose ps
against the same host - I get the cert error. However, if I specify the tls settings explicitly like this:then the command succeeds. Is there some issue with the environment variables that the task is using to run docker-compose up?
The text was updated successfully, but these errors were encountered: