Docker 容器中的 Terraform init 错误——x509:由未知机构签名的证书
2020-03-29
17410
我有
$ cat terraform.Dockerfile
FROM alpine
MAINTAINER Carlos Nunez <[email protected]>
RUN wget -O /tmp/terraform.zip https://releases.hashicorp.com/terraform/0.12.9/terraform_0.12.9_linux_amd64.zip && \
unzip /tmp/terraform.zip -d /
RUN apk update && apk add --no-cache ca-certificates curl
USER nobody
当我这样做时
$ docker-compose run terraform /terraform init
我得到
$ docker-compose run terraform /terraform init
2020/03/29 08:25:36 [INFO] Terraform version: 0.12.9
2020/03/29 08:25:36 [INFO] Go runtime version: go1.12.9
2020/03/29 08:25:36 [INFO] CLI args: []string{"/terraform", "init"}
2020/03/29 08:25:36 [DEBUG] Attempting to open CLI config file: /.terraformrc
2020/03/29 08:25:36 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2020/03/29 08:25:36 [INFO] CLI command args: []string{"init"}
2020/03/29 08:25:36 [ERR] Checkpoint error: mkdir /.terraform.d: permission denied
Initializing the backend...
2020/03/29 08:25:36 [TRACE] Meta.Backend: no config given or present on disk, so returning nil config
2020/03/29 08:25:36 [TRACE] Meta.Backend: backend has not previously been initialized in this working directory
2020/03/29 08:25:36 [DEBUG] New state was assigned lineage "cff52927-0e9b-8ef4-8aeb-2b176dbc40a6"
2020/03/29 08:25:36 [TRACE] Meta.Backend: using default local state only (no backend configuration, and no existing initialized backend)
2020/03/29 08:25:36 [TRACE] Meta.Backend: instantiated backend of type <nil>
2020/03/29 08:25:36 [DEBUG] checking for provider in "."
2020/03/29 08:25:36 [DEBUG] checking for provider in "/"
2020/03/29 08:25:36 [DEBUG] checking for provisioner in "."
2020/03/29 08:25:36 [DEBUG] checking for provisioner in "/"
2020/03/29 08:25:36 [INFO] Failed to read plugin lock file .terraform/plugins/linux_amd64/lock.json: open .terraform/plugins/linux_amd64/lock.json: no such file or directory
2020/03/29 08:25:36 [TRACE] Meta.Backend: backend <nil> does not support operations, so wrapping it in a local backend
2020/03/29 08:25:36 [TRACE] backend/local: state manager for workspace "default" will:
- read initial snapshot from terraform.tfstate
- write new snapshots to terraform.tfstate
- create any backup at terraform.tfstate.backup
2020/03/29 08:25:36 [TRACE] statemgr.Filesystem: reading initial snapshot from terraform.tfstate
2020/03/29 08:25:36 [TRACE] statemgr.Filesystem: snapshot file has nil snapshot, but that's okay
2020/03/29 08:25:36 [TRACE] statemgr.Filesystem: read nil snapshot
2020/03/29 08:25:36 [DEBUG] checking for provider in "."
2020/03/29 08:25:36 [DEBUG] checking for provider in "/"
2020/03/29 08:25:36 [DEBUG] plugin requirements: "aws"=""
2020/03/29 08:25:36 [DEBUG] Service discovery for registry.terraform.io at https://registry.terraform.io/.well-known/terraform.json
2020/03/29 08:25:36 [TRACE] HTTP client GET request to https://registry.terraform.io/.well-known/terraform.json
Initializing provider plugins...
- Checking for available provider plugins...
2020/03/29 08:25:36 [DEBUG] Failed to request discovery document: Get https://registry.terraform.io/.well-known/terraform.json: x509: certificate signed by unknown authority
Registry service unreachable.
This may indicate a network issue, or an issue with the requested Terraform Registry.
Error: registry service is unreachable, check https://status.hashicorp.com/ for status updates
我在网上看到几个链接,它们都表明存在相同/类似的错误,通过安装
curl
可以解决这些错误。
我在容器上安装了
curl
,我对其进行了验证。
$ docker-compose run terraform curl --version
curl 7.67.0 (x86_64-alpine-linux-musl) libcurl/7.67.0 OpenSSL/1.1.1d zlib/1.2.11 nghttp2/1.40.0
Release-Date: 2019-11-06
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
我还安装了证书:
$ docker-compose run terraform ls -lR /etc/ssl
这是
curl -v
的输出
$ docker-compose run --entrypoint 'curl -v --insecure https://registry.terraform.io/.well-known/terraform.json' terraform
* Trying 151.101.190.49:443...
* TCP_NODELAY set
* Connected to registry.terraform.io (151.101.190.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=q2.shared.global.fastly.net
* start date: Apr 1 14:48:12 2020 GMT
* expire date: Aug 29 17:17:53 2020 GMT
* issuer: C=US; ST=CA; O=paloalto networks; OU=IT; CN=decrypt.paloaltonetworks.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55cce9444220)
> GET /.well-known/terraform.json HTTP/2
> Host: registry.terraform.io
> user-agent: curl/7.67.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< server: Cowboy
< cache-control: stale-if-error=31536000, public, max-age=3600
< content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://cdn.segment.com https://www.googletagmanager.com https://a.optnmstr.com; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://p.typekit.net https://use.typekit.net; img-src 'self' data: https: https://www.google-analytics.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com https://fonts.gstatic.com https://use.typekit.net; connect-src 'self' https://www.google-analytics.com https://api.segment.io https://sentry.io https://api.omappapi.com https://api.opmnstr.com https://api.optmnstr.com
< content-type: application/json
< feature-policy:
< last-modified: Fri, 10 Apr 2020 08:49:04 GMT
< referrer-policy: no-referrer-when-downgrade
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-xss-protection: 1; mode=block
< via: 1.1 vegur
< via: 1.1 varnish
< accept-ranges: bytes
< date: Sat, 11 Apr 2020 06:07:54 GMT
< via: 1.1 varnish
< age: 63
< x-served-by: cache-dca17758-DCA, cache-pao17436-PAO
< x-cache: HIT, HIT
< x-cache-hits: 1, 1
< vary: Accept-Encoding
< content-length: 62
<
{"modules.v1":"/v1/modules/","providers.v1":"/v1/providers/"}
* Connection #0 to host registry.terraform.io left intact
2个回答
安装 ca-certificates 包后,运行
update-ca-certificates
。Docker 层缓存可能会阻止其重新运行安装步骤,并且 CA 证书可能已过期。
Jeremy Gaither
2020-04-08
运行 update-ca-certificates 对我不起作用。我尝试了以下将节点的证书文件副本映射到容器的证书文件的方法,并且成功了。
尝试检查安装了 docker 容器的节点是否能够连接到 terraform。
在 docker 节点和容器上执行 “curl -v https://registry.terraform.io/.well-known/terraform.json" 。
如果节点的 curl 有效而容器的失败,则尝试创建证书文件的副本。可以从 curl 命令输出中获取证书文件位置,如下所示。 创建副本后,将此证书文件映射到容器的证书文件(您将在容器的 curl 命令中获取该位置)。
如果您的两个 curl 都失败,请尝试更新您的证书,然后尝试上述方法。
Suraj Gawas
2022-03-10