microsoft / VSTS-Docker-Preview

Preview repo for Docker extension
16 stars 8 forks source link

docker-compose fails with ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) #14

Open colindembovsky opened 7 years ago

colindembovsky commented 7 years ago

I have created a release with a several docker tasks. I have an endpoint to a docker host machine. I am able to run docker commands successfully (like docker run) against the docker host. However, the docker-compose up commands fail with ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661). (In the task I'm using the "Run Services" action).

I can repro this on my client machine by running docker-compose ps against the same host - I get the cert error. However, if I specify the tls settings explicitly like this:

docker-compose -H $dockerHost --tls --tlscacert ~/.docker/ca.pem --tlscert ~/.docker/cert.pem --tlskey ~/.docker/key.pem ps

then the command succeeds. Is there some issue with the environment variables that the task is using to run docker-compose up?

RoopeshNair commented 7 years ago

@colindembovsky, we will look into it. Meanwhile can you please report this against https://github.com/Microsoft/VSTS-Docker for posterity purpose..

Also, can you please checkout suggestions on https://github.com/docker/compose/issues/3365

colindembovsky commented 7 years ago

Hi @RoopeshNair - not sure how that article is supposed to help. I created the docker host using the azure cli which generates the certs as part of the command - is there a problem with the certs or a problem with docker-compose or a problem with the vsts task?

RoopeshNair commented 7 years ago

@colindembovsky I suspect certificate issue or python libraries pointing to homebrew openssl.

Here is one which has similar issues reported by multiple users https://github.com/docker/compose/issues/890

colindembovsky commented 7 years ago

@RoopeshNair I'm using the microsoft/vsts-agent image to run the release (which in turn runs the docker and docker-compose commands). Is there some environment setting I can set on the docker-compose task that will make this work? I can't even get this command to work locally unless I pass the certs to docker-compose explicitly.

jitekuma commented 7 years ago

@colindembovsky You dont need to pass --tls or --tlsverify option in the docker-config path as the task already sets DOCKER_TSL_VERIFY environment varaible. I debugged docker-compose and docker-py library and verified that if you pass any flag --tls or --tlsverify flag it tries to create tslConfig object out of options and not from environment and hence either ca_cert object or verify is none in TFSConfig file. You can use the task without using these flags. Check the variable getting set here https://github.com/Microsoft/vsts-docker/blob/cdccda9323abe8e861d0891f03922d0e3f8fd8d1/src/tasks/dockerCompose/dockerComposeConnection.ts Let me know if you need more details.