vsoch
commented
2 years ago You can look at the logs of your images?
Closed ifelsefi closed 2 years ago
vsoch
commented
2 years ago You can look at the logs of your images?
ifelsefi
commented
2 years ago Somehow minio was deployed with a SSL cert and it's listening on https. I thought this was only going to happen with nginx.
So I think bad request was attempt to do http to https. When I set:
MINIO_SERVER = "domain.example.com:9000" # Internal to sregistry
MINIO_EXTERNAL_SERVER = (
"domain.example.com:9000" # minio server for Singularity to interact with
)
MINIO_BUCKET = "sregistry"
MINIO_SSL = True # use SSL for minio
MINIO_SIGNED_URL_EXPIRE_MINUTES = 5
MINIO_REGION = "us-east-1"
MINIO_MULTIPART_UPLOAD = TrueThis does make curl work and I see there's no TLS chain issues:
[~/repos/sregistry]$ curl -v domain.example.com:9000
About to connect() to domain.example.com port 9000 (#0)
* Trying 10.1.54.76...
* Connected to domain.example.com (10.1.54.76) port 9000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=domain.example.com,OU=foobar
* start date: Mar 03 14:57:41 2022 GMT
* expire date: Apr 04 14:57:41 2023 GMT
* common name: domain.example.com,
* issuer: CN=CAuthority
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: domain.example.com:9000
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Accept-Ranges: bytes
< Content-Length: 226
< Content-Security-Policy: block-all-mixed-content
< Content-Type: application/xml
< Server: MinIO
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Vary: Origin
< Vary: Accept-Encoding
< X-Amz-Request-Id: 16D8F14AFF6914A9
< X-Content-Type-Options: nosniff
< X-Xss-Protection: 1; mode=block
< Date: Thu, 03 Mar 2022 18:09:28 GMT
<
<?xml version="1.0" encoding="UTF-8"?>
* Connection #0 to host domain.example.com left intactSo minio does have the cert in place!
But logs show:
uwsgi_1 | File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 786, in urlopen
uwsgi_1 | method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
uwsgi_1 | File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 592, in increment
uwsgi_1 | raise MaxRetryError(_pool, url, error or ResponseError(cause))
uwsgi_1 | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='domain.example.com', port=9000): Max retries exceeded with url: /sregistry/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
uwsgi_1 |
uwsgi_1 | 0 static files copied to '/var/www/static', 340 unmodified.So I am unsure why uwsgi_1 can't verify the chain. I probably need to add /etc/ssl as a volume so it can read the CA bundle?
My docker-compose.yaml does not have that present:
uwsgi:
restart: always
# IMPORTANT: update the tag to coincide with release version
image: quay.io/vanessa/sregistry:1.1.39
env_file:
- ./.minio-env
volumes:
- .:/code
- ./static:/var/www/static
- ./images:/var/www/imagesSo it can't verify the chain :)
vsoch
commented
2 years ago So first I'd recommend starting your first attempt without ssl anywhere and making sure that your updated credentials work, etc. Otherwise you might put yourself into a situation of debugging multiple layers at once. And once you are ready to turn on SSL, there are docs for how to do that - the short story is that there is a different set of deploy files in https folder you need to use. https://singularityhub.github.io/sregistry/docs/install/https. But you cannot just use the docker-compose.yml in the root with https - it isn't intended for that as you see.
ifelsefi
commented
2 years ago Yes, I copied the https specific docker-compose file. That's how nginx was able to start.
vsoch
commented
2 years ago And the nginx assets as well?
vsoch
commented
2 years ago So what I would do in your case is debug the error verbatim. Your uwsgi container is telling you that it cannot see domain.example.com so you probably should shell in to test that. With docker-compose the hostnames are typically container names so I would start by figuring out what the uwsgi container is seeing and go from there.
ifelsefi
commented
2 years ago All good now! I disabled TLS on minio but kept it working with nginx!
vsoch
commented
2 years ago Woohoo! That's what I like to hear! :partying_face:
Hi
uwsgi_1 cannot connect to minio though it's up:
Settings:
Env:
Any idea why
uwsgican't connect to minio on the same local docker network?I do see:
[~/repos/sregistry]$ curl https://127.0.0.1:9000 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificateUnsure why I would need a certificate to connect with a local docker image?
Any way to disable SSL verification?
Thank you!