search

portainer / agent

The Portainer agent
https://www.portainer.io
zlib License
314 stars 69 forks source link

Portainer edge agent does not respect custom rootca used by portainer server. And EDGE_INSECURE_POLL does not ignore the cert issue #208

Open N0K0 opened 3 years ago

N0K0 commented 3 years ago

Hi! I got an wierd issue with the edge agent.

What i can see:

2021/08/30 07:15:41 [ERROR] [internal,edge,stack] [message: an error occured during stack management] [error: Get https://osl-portainer1:9000/api/endpoints/15/edge/stacks/1: x509: certificate signed by unknown authority]
2021/08/30 07:15:41 [ERROR] [internal,edge,poll] [message: an error occured during short poll] [error: Get https://osl-portainer1:9000/api/endpoints/15/edge/stacks/1: x509: certificate signed by unknown authority]

What i expected:

That portainer respects the cert bundle added to /usr/local/share/ca-certificates/ As per this SO post https://stackoverflow.com/questions/40051213/where-is-golang-picking-up-root-cas-from

Or that EDGE_INSECURE_POLL would make us ignore the cert.

Misc

Docker-compose file:

version: '3.6'

services:
  agent:
    image: portainer_agent:latest
    hostname: portainer_agent
    container_name: portainer_agent
    environment:
      EDGE: '1'
      EDGE_ID: ${EDGE_ID:?}
      EDGE_KEY: ${EDGE_KEY:?}
      CAP_HOST_MANAGEMENT: '1'
      EDGE_INSECURE_POLL: '1'
      LOG_LEVEL: 'debug'
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
      - /:/host
      - portainer_data:/data

    restart: always

volumes:
  portainer_data:

Dockerfile:

ARG image_tag
FROM portainer/agent:${image_tag:-alpine}

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs/

ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ADD ca-certificates.crt /usr/local/share/ca-certificates/

Did not work without the ENV settings either

huib-portainer commented 3 years ago

Hi, that might actually be solved in one of our preview versions. Please give it a try by using the images portainerci/agent:kubernetes-edge-stacks and portainerci/portainer:pr5276 and let us know how it's working. Note that this is a development build and should not be used in a production environment.

N0K0 commented 3 years ago

Hey. Have tried swapping out the portainer server as suggested. Fixed the ports that has changed++, i still get the same issue

Running it with this command to test.

docker run -d -p 443:9443 -p 9433:9433 -p 9000:9443 -p 8000:8000 --name portainer_pr --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /etc/pki/tls/private/:/keys -v /etc/pki/tls/certs/:/certs -v portainer_data:/data portainerci/portainer:pr5276 --ssl --sslcert /certs/wild.crt --sslkey /keys/wild.key

The agent has also been swapped

FROM portainerci/agent:kubernetes-edge-stacks

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs/

# Can't use curl++ since its a scratch container
ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ADD ca-certificates.crt /usr/local/share/ca-certificates/

Any more logs i should provide for example? :)