search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 271 forks source link

Cannot add registries to Nexus even certificate already put in anchore #1370

Closed IndraWiradinataK closed 2 years ago

IndraWiradinataK commented 2 years ago

Is this a request for help?:

Cannot Add registries to Nexus even certificate already put in anchore, either using CLI or API (from Application).

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable:

Anchore-cli version : 0.9.1

screen_shot_2022-02-21_at_10 27 32

Anchore Engine Version : 1.1.0

screen_shot_2022-02-21_at_10 28 25

What happened:

Registry that need TLS/SSL verification (Value=True) cannot be added into registries list on anchore even certificate for the registry already planted into anchore.

What did you expect to happen: Registry should be added into anchore even with TLS/SSL verification true because the certification for the registries already planted to anchore.

Any relevant log output from /var/log/anchore: From event on anchore Error: cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://nexus.:50001/,21059309) - exception: HTTPSConnectionPool(host='nexus.', port=50001): Max retries exceeded with url: /v2/ (Caused by SSLError(SSLError(9, '[X509] PEM lib (_ssl.c:4265)'))) HTTP Code: 406 Detail: {'error_codes': []}

From Log [service:api] 2022-03-01 07:07:50+0000 [_GenericHTTPChannelProtocol,500932,192.168.15.1] [PoolThread-twisted.internet.reactor-1] [anchore_engine.clients.services.internal/dispatch()] [ERROR] Failed client call to service catalog for url: http://anchore-anchore-engine-catalog:8082/v1/system/registries. Response: {‘httpcode’: 406, ‘anchore_error_raw’: ‘b\’{\n “detail”: {\n “error_codes”: []\n },\n “httpcode”: 406,\n “message”: “cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://nexus.:50001/,21059309) - exception: HTTPSConnectionPool(host=\\‘nexus..co.id\\‘, port=50001): Max retries exceeded with url: /v2/ (Caused by SSLError(SSLError(9, \\‘[X509] PEM lib (_ssl.c:4265)\\‘)))“\n}\n\‘’, ‘anchore_error_json’: {‘detail’: {‘error_codes’: []}, ‘httpcode’: 406, ‘message’: “cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://nexus.:50001/,21059309) - exception: HTTPSConnectionPool(host=‘nexus..id’, port=50001): Max retries exceeded with url: /v2/ (Caused by SSLError(SSLError(9, ‘[X509] PEM lib (_ssl.c:4265)’)))“}}

What docker images are you using: min4tozaki/anchore-engine:1.0.0 (Using filebeat)

Dockerfile for add certificate (Self Signed Certificate)

FROM <IMAGE_ANCHORE_v1>
USER root:root
COPY ./<NEXUS_CERT>.pem   /etc/pki/ca-trust/source/anchors/
COPY ./your_cert.cer /usr/local/lib/python3.8/site-packages/certifi/
COPY ./another_cert.cer /usr/local/lib/python3.8/site-packages/certifi/
RUN cat /usr/local/lib/python3.8/site-packages/certifi/*_cert.cer >> /usr/local/lib/python3.8/site-packages/certifi/cacert.pem
RUN update-ca-trust

How to reproduce the issue: Anchore deployed in Openshift, with custom deployment not using Helm. Nexus can be accessed from pod openshift since it outside Openshift. I assuming that openshift is in intranet. Here deployment files

Files.zip

Anything else we need to know: When we do image scanning to the destined nexus registry it always successful

We tried to test using Curl & Test SSL Python:

$> python3
>>> import urllib.request
>>> print(urllib.request.urlopen('https://<DNS_NEXUS>/').read())

And both resulted success to port default HTTPS but to 50001 it got error code 400 Bad Request

IndraWiradinataK commented 2 years ago

Closed, because it has already solved.