search

GoogleContainerTools / kaniko

Build Container Images In Kubernetes
Apache License 2.0
14.79k stars 1.44k forks source link

v1.9.2 new TLS error for insecure (alert code 80) #2452

Open Fen0l opened 1 year ago

Fen0l commented 1 year ago

Actual behavior Kaniko v1.9.2 raise TLS error using wget for unsecure self-signed certificates. This was working fine for v1.9.1 and below.

➜  ~ docker run -it --entrypoint /busybox/wget gcr.io/kaniko-project/executor:v1.9.2-debug --no-check-certificates https://git.local
Connecting to git.local (10.10.0.1:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 80): internal error
wget: error getting response: Connection reset by peer

➜  ~ docker run -it --entrypoint /busybox/wget gcr.io/kaniko-project/executor:v1.9.1-debug --no-check-certificates https://git.local
Connecting to git.local (10.10.0.1:443)
wget: note: TLS certificate validation not implemented
saving to 'FILE.crt'
FILE.crt   100% |**********************************************************************************************|  7107  0:00:00 ETA
'FILE.crt' saved

Expected behavior wget should ignore TLS verification when --no-check-certificates is given.

To Reproduce Steps to reproduce the behavior:

  1. docker run -it --entrypoint /busybox/wget gcr.io/kaniko-project/executor:v1.9.2-debug --no-check-certificates https://git.local
  2. when git.local is using self-signed certificates

KR

irizzant commented 1 year ago

Hitting the same here

fengkaijia commented 1 year ago

I'm hitting a similar error without --no-check-certificates in 1.9.2, it was working fine in 1.9.1.

wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer
modelbitjason commented 1 year ago

This is caused by an issue in busybox:musl https://github.com/docker-library/busybox/issues/162 The debug image is based on busybox:musl, changing it to busybox:1.35.0-musl should fix the problem.

Also of note, this only happens on certain URLs -- https://github.com works, but https://amazon.com does not.

aaron-prindle commented 1 year ago

Are folks in the thread here still having this issue using the latest v1.11.0 release of kaniko (seems likely as the busybox issue is still open)? Is there any opinion here on the preferred fix to be made in kaniko to resolve this issue for users? Pinning busybox:1.35.0-musl seems like an acceptable fix in the short term - want to weight that vs. any other suggested fixes as pinning is not ideal

LordGaav commented 1 year ago

Still running into this exact issue, tested just now with v1.12.0. We're currently pinned on v1.9.1 as the last known working version.

In our case: during the Docker build we need to download some files from a server with a very old openssl version:

Connecting to xxx (xxx)
wget: note: TLS certificate validation not implemented
wget: short read, have only 0: Connection reset by peer
wget: error getting response: Connection reset by peer
zhekazuev commented 1 year ago

Update about this problem.

I've tested several versions of busybox, and version 1.35 seems to work fine, as @aaron-prindle said.

Latest(1.36.1) busybox:musl - As in Kaniko's Dockerfile:

@zhekazuev ➜ /workspaces/kaniko/deploy (main) $ docker run -it --rm busybox:musl
/ # busybox | head -1
BusyBox v1.36.1 (2023-07-17 19:24:58 UTC) multi-call binary.
/ # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer

Latest version (v1.36.1) of busybox:glibc - I thought the problem was only with musl and decided to check:

@zhekazuev ➜ /workspaces/kaniko/deploy (main) $ docker run -it --rm busybox:glibc
/ # busybox | head -1
BusyBox v1.36.1 (2023-07-17 18:29:09 UTC) multi-call binary.
/ # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer

Specific version - busybox:1.35.0-musl

@zhekazuev ➜ /workspaces/kaniko/deploy (main) $ docker run -it --rm busybox:1.35.0-musl
Unable to find image 'busybox:1.35.0-musl' locally
1.35.0-musl: Pulling from library/busybox
Digest: sha256:4173c82ba78b6b64776907f6dd6af48eee80697e0d4852086e8f8f2bc8c93384
Status: Downloaded newer image for busybox:1.35.0-musl
/ # busybox | head -1
BusyBox v1.35.0 (2023-07-17 19:33:24 UTC) multi-call binary.
/ # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
saving to 'index.html'
index.html           100% |***************************************************************************|   502  0:00:00 ETA
'index.html' saved

And one last test. Updated dockerfile to specify busybox:1.35.0-musl@sha256:b083c85bd4aff5d4936fa263572c8c7369b02145856a3edd4fff19d97a8e78d5 instead of busybox:musl:

cat deploy/Dockerfile

...
# use musl busybox since it's staticly compiled on all platforms
FROM busybox:1.35.0-musl@sha256:b083c85bd4aff5d4936fa263572c8c7369b02145856a3edd4fff19d97a8e78d5 AS busybox
...

@zhekazuev ➜ /workspaces/kaniko (main) $ docker build -t gcr.io/kaniko-project/executor:debug-1.35.0-musl --target kaniko-debug -f deploy/Dockerfile .
...

And run built kaniko image:

@zhekazuev ➜ /workspaces/kaniko (main) $ docker run -it --rm --entrypoint="" gcr.io/kaniko-project/executor:debug-1.35.0-musl /bin/sh
/workspace # wget https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html           100% |*******************************************************************************|   502  0:00:00 ETA
'index.html' saved

/workspace # rm index.html 

/workspace # wget --no-check-certificate https://self-signed.badssl.com/
Connecting to self-signed.badssl.com (104.154.89.105:443)
saving to 'index.html'
index.html           100% |*******************************************************************************|   502  0:00:00 ETA
'index.html' saved

This requires using a specific version of busybox:musl. I think busybox:1.35.0-musl@sha256:b083c85bd4aff5d4936fa263572c8c7369b0214585856a3edd4fff19d97a8e78d5 would be the best solution.

And I don't see why we can't use distroless and distroless-debug by Google as a base instead of busybox. And use /etc/ssl/certs path instead of /kaniko/ssl/certs - most docker linuxes use that path for ca certs, and /kaniko/ssl/certs is a bit confusing.

stefan2904 commented 8 months ago

For the record, the error still exists in gcr.io/kaniko-project/executor:v1.20.0-debug.

This is most likely since the aforementioned PR updating/pinning busybox got rejected: https://github.com/GoogleContainerTools/kaniko/pull/2765#issuecomment-1831150620

sazary commented 7 months ago

had the same problem with v1.21.1-debug.

--no-check-certificates had no effect

downgrading to v1.9.1-debug worked, as mentioned by @Fen0l

monofone commented 1 month ago

This stopped working for 1.9.1-debug as well, I'm getting a

wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

for 1.23.2-debug the issue also still exists with a slightly different error message:

wget: TLS error from peer (alert code 80): internal error
wget: error getting response: Connection reset by peer