Machine: docker-compose build -> kesalahan SSL: [SSL: CERTIFICATE_VERIFY_FAILED] verifikasi sertifikat gagal (_ssl.c: 581)

Setiap pemikiran dihargai, saya terjebak, dan tidak ingin menginstal ulang OS saya untuk membuat kerja docker-compose :)

Terima kasih telah melaporkan. Apakah Anda kebetulan menggunakan vm boot2docker dengan mesin?

Ini mungkin ikan haring merah, tetapi satu hal yang saya perhatikan adalah bahwa docker-machine + boot2docker tidak bergantung pada sertifikat yang dihasilkan default boot2docker . Sebaliknya, mesin tampaknya menghasilkan sendiri. Jika demikian, Subject dari cert.pem sama dengan Issuer (yaitu, sama dengan Subject dari ca.pem ) .

Karena bug dengan versi OpenSSL tertentu (terbaru), ini pada dasarnya adalah sama yang menyebabkan kesalahan serupa saat menggunakan alat buruh pelabuhan langsung dengan boot2docker (yaitu, _without_ docker-machine ; lihat juga boot2docker / boot2docker # 1029 dan SvenDowideit / generate_cert # 10). Perbaikan dirilis dengan boot2docker 1.8.0 ( @eaaaeae ). Namun, seperti yang saya sebutkan, perilaku (yang berpotensi) bermasalah tampaknya dipertahankan saat menggunakan mesin, karena penanganan sertifikat mesin itu sendiri.

Rekomendasi saya adalah menambal mesin untuk memastikan bahwa Subject dari cert.pem berbeda dari ca.pem dan kemudian @PavelPolyakov mengujinya di lingkungannya. Jika mesin yang ditambal membuat kesalahan hilang, saya pikir Anda sudah memperbaikinya. Jika tidak, maka itu adalah hal lain yang berada di luar pemahaman saya tentang masalah tersebut.

Saya akan mengirimkan PR, tetapi saya belum (belum) sangat ahli dengan Go, saya juga tidak terbiasa dengan cara mesin menangani pembuatan / instalasi sertifikat dengan boot2docker. Sayangnya jadwal saya saat ini tidak memungkinkan saya untuk mendedikasikan waktu yang diperlukan untuk mempercepat. Sebagai gantinya, semoga ringkasan ini bermanfaat.

@tokopedia
Maaf, saya belum mengerti pertanyaannya.

Beginilah cara mesin itu dibuat:

docker-machine create --driver virtualbox my-docker-machine

Gambar terbaru diunduh dari internet.

@posita
Terima kasih atas bantuannya, siap menguji apa pun yang dapat membawa kesuksesan.

@tokopedia
Hai teman-teman, bisakah Anda memberi tahu saya jika saya bisa membantu? Dan bagaimana kita membuatnya bekerja?

Salam,

@tokopedia

Mencoba itu:

Sepertinya hasilnya sama.

Ada pemikiran lain?

@PavelPolyakov Maaf, saya salah…
Saya mencari solusi ...

@Pavelololselesai . Itulah yang dilakukan:

1. Menghapus semua mesin
2. Jalankan docker-machine regenerate-certs
3. Menambahkan

export DOCKER_HOST=tcp://192.168.99.100:2376
export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs
export DOCKER_TLS_VERIFY=1

Kesalahan itu hilang.

@rkit
Terima kasih atas solusinya.

Mencoba menerapkannya.

Namun, beberapa pertanyaan:

1. Ketika saya telah melepaskan mesin, saya rasa saya tidak dapat membuat sertifikat ulang.

[~/tmp/microservices-workshop/msworkshop/step4]$ docker-machine rm default
Successfully removed default
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-machine regenerate-certs                   *[master]
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Error: Expected to get one or more machine names as arguments.

1. Bukankah IP ini harus dinamis, dan hanya tersedia setelah mesin buruh pelabuhan dibuat?

export DOCKER_HOST=tcp://192.168.99.100:2376
export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs
export DOCKER_TLS_VERIFY=1

1. Ya, Anda perlu membuat mesin
2. Dinamis, ya. Untuk mengubah env, Anda perlu mengeksekusi: eval "$(docker-machine env dev)" , tetapi env default dari profil bash, dan saya menambahkan baris ini di konfigurasi:

export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs

Setelah itu tidak ada kesalahan.

Apakah saya menafsirkan dengan benar, bahwa meminta regenerate-certs adalah solusi yang menegaskan spekulasi saya docker-machine memiliki masalah saudara dengan boot2docker / boot2docker # 808 (lihat juga docker / docker-py # 465, docker / compose # 890) yang tidak diselesaikan dengan boot2docker / boot2docker # 1029 karena docker-machine mengabaikan sertifikat default boot2docker dan membuatnya sendiri? Apakah itu ringkasan yang akurat?

@rkit
Maaf, saya masih memiliki hal yang sama :(

Apa yang saya lakukan:

1. docker-machine rm default
2. docker-machine create --driver virtualbox default
3. docker-machine regenerate-certs default
4. eval "$(docker-machine env default)" export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs

Apakah saya melewatkan sesuatu? Ada pemikiran bagaimana saya bisa mengatasinya?
Dapatkah saya memberikan debug tambahan?

@PavelPolyakov , setelah melakukan regenerate-certs dan eval , dapatkah Anda melakukan:

for i in ca cert ; do c="${DOCKER_CERT_PATH}/${i}.pem" ; ( set -x ; openssl x509 -in "${c}" -text | grep -E '^ +(Issuer|Subject): ' ) ; done

@posita
Terima kasih, inilah kami:

Oke, jadi regenerate-certs sebenarnya tidak mengatasi masalah (potensial) di mana ca.pem Subject == cert.pem Subject. : kecewa: Dengan kata lain:

+-zsh:xxx> openssl x509 -in /.../.docker/machine/certs/ca.pem -text
+-zsh:xxx> grep ... -E '^ +Subject: '
        Subject: O=[thing]    # <<<-- THIS SHOULD *NOT*
+-zsh:xxx> openssl x509 -in /.../.docker/machine/certs/cert.pem -text
+-zsh:xxx> grep ... -E '^ +Subject: '
        Subject: O=[thing]    # <<<-- EQUAL THIS

Jika ya, dan Anda memiliki versi OpenSSL yang "salah" (yaitu, versi apa pun yang menunjukkan bug ini ), Anda akan menerima kesalahan [SSL: CERTIFICATE_VERIFY_FAILED] .

Saya menduga inilah mengapa Anda masih mengalami masalah, dan mengapa saran @rkit tidak berhasil.

Hai teman-teman, @rkit , @ehazlett , ada pemikiran bagaimana saya bisa mengatasinya?

@PavelPolyakov , untuk cekikikan, dapatkah Anda mencoba ini (ganti [machine-name] dengan nama mesin Anda yang sebenarnya)?

% eval $( docker-machine env [machine-name] )
% docker-machine ssh [machine-name]
...
Boot2Docker version 1.8.2, build master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
Docker version 1.8.2, build 0a8c2e3
docker<strong i="8">@boot2docker</strong>:~$ rm -fv ~docker/.docker/* # get rid of copies of certificates we're about to destroy
removed '/home/docker/.docker/ca.pem'
removed '/home/docker/.docker/cert.pem'
removed '/home/docker/.docker/key.pem'
docker<strong i="9">@boot2docker</strong>:~$ sudo -s 
root<strong i="10">@boot2docker</strong>:/home/docker# cat /var/lib/boot2docker/profile # so I can see what is being overridden
...
root<strong i="11">@boot2docker</strong>:/home/docker# rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/* # remove any existing certificates
...
root<strong i="12">@boot2docker</strong>:/home/docker# /usr/local/etc/init.d/docker restart
... # should regenerate default certificates
root<strong i="13">@boot2docker</strong>:/home/docker# exit
docker<strong i="14">@boot2docker</strong>:~$ exit
% rm -v "${DOCKER_CERT_PATH}"/*.pem # remove host-side (stale) certificates
...
% docker-machine scp [machine-name]:/home/docker/.docker/\*.pem "${DOCKER_CERT_PATH}" # copy newly-created certificates from machine to host
...
% docker ps
...
% docker-compose ps
...
% openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
...

Pada dasarnya, kami mencoba menghindari docker-machine membuat sertifikat, dan sebaliknya mengandalkan mekanisme default boot2docker . Dengan masuk ke instance boot2docker , menghapus sertifikat, lalu memulai ulang docker , kami memicu proses itu. Kemudian kami mengganti sertifikat sisi host dengan yang baru saja kami dapatkan boot2docker untuk dibuat (ulang).

@posita

Tidak dapat membuat ulang sertifikat

Pertama:

Boot2Docker version 1.8.2, build master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
Docker version 1.8.2, build 0a8c2e3
docker<strong i="9">@default</strong>:~$ rm -fv ~docker/.docker/*
removed '/home/docker/.docker/ca.pem'
removed '/home/docker/.docker/cert.pem'
removed '/home/docker/.docker/key.pem'
docker<strong i="10">@default</strong>:~$ sudo -s
root<strong i="11">@default</strong>:/home/docker# cat /var/lib/boot2docker/profile

EXTRA_ARGS='
--label provider=virtualbox

'
CACERT=/var/lib/boot2docker/ca.pem
DOCKER_HOST='-H tcp://0.0.0.0:2376'
DOCKER_STORAGE=aufs
DOCKER_TLS=auto
SERVERKEY=/var/lib/boot2docker/server-key.pem
SERVERCERT=/var/lib/boot2docker/server.pem


root<strong i="12">@default</strong>:/home/docker# rm -fv /var/lib/boot2docker/tls/*
removed '/var/lib/boot2docker/tls/ca.pem'
removed '/var/lib/boot2docker/tls/cakey.pem'
removed '/var/lib/boot2docker/tls/cert.pem'
removed '/var/lib/boot2docker/tls/hostnames'
removed '/var/lib/boot2docker/tls/key.pem'
removed '/var/lib/boot2docker/tls/server.pem'
removed '/var/lib/boot2docker/tls/serverkey.pem'

Kemudian:

root<strong i="16">@default</strong>:~# /usr/local/etc/init.d/docker restart
Need TLS certs for default,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
Generating CA cert
2015/09/25 18:06:48 Preventing overwrite: the following files already exist: "/var/lib/boot2docker/ca.pem". To overwrite files, add `--overwrite`.
rm: can't remove '/var/lib/boot2docker/server.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/server-key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/cert.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/key.pem': No such file or directory
Generate server cert
/usr/local/bin/generate_cert --host=default,127.0.0.1,10.0.2.15,192.168.99.104 --ca=/var/lib/boot2docker/ca.pem --ca-key=/var/lib/boot2docker/tls/cakey.pem --cert=/var/lib/boot2docker/server.pem --key=/var/lib/boot2docker/server-key.pem --org=Boot2Docker
2015/09/25 18:06:48 Generating a server cert
2015/09/25 18:06:48 Failure to generate cert: open /var/lib/boot2docker/tls/cakey.pem: no such file or directory
Generating client cert
2015/09/25 18:06:48 no --host parameters, making a client cert
2015/09/25 18:06:48 Failure to generate cert: open /var/lib/boot2docker/tls/cakey.pem: no such file or directory
cp: can't stat '/var/lib/boot2docker/tls/cert.pem': No such file or directory
cp: can't stat '/var/lib/boot2docker/tls/key.pem': No such file or directory

Ah baiklah. Saya takut akan hal itu ( /var/lib/boot2docker/profile menimpa beberapa lokasi default). Coba hal yang sama, tetapi alih-alih:

root<strong i="7">@default</strong>:/home/docker# rm -fv /var/lib/boot2docker/tls/*

Melakukan:

root<strong i="11">@default</strong>:/home/docker# rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*

@posita

rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*
removed '/var/lib/boot2docker/ca.pem'
removed '/var/lib/boot2docker/tls/hostnames'
root<strong i="7">@default</strong>:~# /usr/local/etc/init.d/docker restart
Need TLS certs for default,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
Generating CA cert
2015/09/25 18:18:14 Generating a new certificate authority.
rm: can't remove '/var/lib/boot2docker/server.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/server-key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/cert.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls//hostnames': No such file or directory
Generate server cert
/usr/local/bin/generate_cert --host=default,127.0.0.1,10.0.2.15,192.168.99.104 --ca=/var/lib/boot2docker/ca.pem --ca-key=/var/lib/boot2docker/tls/cakey.pem --cert=/var/lib/boot2docker/server.pem --key=/var/lib/boot2docker/server-key.pem --org=Boot2Docker
2015/09/25 18:18:15 Generating a server cert
Generating client cert
2015/09/25 18:18:15 no --host parameters, making a client cert
root<strong i="8">@default</strong>:~# ls /var/lib/boot2docker/tls/
cakey.pem  cert.pem   hostnames  key.pem

(keluar; keluar)

tapi kemudian:

[~/tmp/microservices-workshop/msworkshop/step4]$ docker ps           *[master]
An error occurred trying to connect: Get https://192.168.99.104:2376/v1.20/containers/json: x509: certificate signed by unknown authority
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose ps   *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

perintah terakhir:

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem"
CONNECTED(00000003)
depth=0 O = default
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = default
verify error:num=21:unable to verify the first certificate
verify return:1
140735289209680:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1472:SSL alert number 42
140735289209680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov
-----BEGIN CERTIFICATE-----
MIIDADCCAeqgAwIBAgIQR4h88WLsll8AkYK6MIeEMTALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNUGF2ZWxQb2x5YWtvdjAeFw0xNTA5MjMxNjMwMDBaFw0xODA5MDcx
NjMwMDBaMBIxEDAOBgNVBAoTB2RlZmF1bHQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7MYqKigy4aJCPiaCQrOKypICUYbIvLYtHKCYG7d9d274MuYWf
dH7mMKTTu8M3GOrAzUj+tvHDAHIZgV0nDMz5qwEkYI2JD7N7hcHQ91JUPJVVpV3e
v2v4hzFra8KB/9h4grjTwAnMLLJNNcWUwu8JPvy3xRmBjpl8UIVY1+VLYwiLodfS
7bWBdqYy2E0sxoJjgtNVPWgxkOloApOrQhq0t/HcyXv0mA3hVPG+9J1r5Mxqs0nY
/qIMKGpywhTGqsWfDnBe22Bf2tFHagDN0frLRrIrF8HT8Xggwawz9pN4RpRWUrI0
lAsgxznXZR1xnvffbxmdy2P94BX1UHqzVy/dAgMBAAGjUDBOMA4GA1UdDwEB/wQE
AwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
ADAPBgNVHREECDAGhwTAqGNoMAsGCSqGSIb3DQEBCwOCAQEAYoGQ5x3wXGVxZey9
dcxyVnBkYSZiInVIeI+bdsKtxKUv7HoXRW1iLyKSeNq8BGQzpfaEPkDtfblcEctz
U0Oj7jS4MlrdzGK1A75Bl8Bo1VDpu146M8cp/Wa09tjmrJktMrVOVZVQteDCPmZo
RIgaHWH0gRJPOy2SCTvLhmyZTK0bO2YKpgvjf2f7NMw6GBJi1hgcZuw3wDjVutjS
2hOWh2HeVyguu1na+YTpZ0csH+MSrKt79ulBpZ3SlYiG5pDFJ5Bjf74OpL0KW30Z
sBA51T1y3Xfyohb27XT28mJLa5Q1cH1PTnComd4K9AlVy7zY0u/MlDN8kaZb0ggX
pqpv2Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=default
issuer=/O=PavelPolyakov
---
Acceptable client certificate CA names
/O=PavelPolyakov
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256
Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1247 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: C628B5966CBC7A394199AF9D0ECA66BF01744B865D7595D3F3080158A9C9AEDA72B53714D24FCFF11F542F38CBB5CC50
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1443205317
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Apakah Anda melakukan ini setelah keluar dari docker-machine ssh [machine-name] tetapi sebelum melakukan docker ps ?

% rm -v "${DOCKER_CERT_PATH}"/*.pem
...
% docker-machine scp [machine-name]:/home/docker/.docker/\*.pem "${DOCKER_CERT_PATH}"
...

Perlu diingat, Anda masih perlu mengganti sertifikat sisi host dengan yang baru saja Anda dapatkan boot2docker untuk dibuat (ulang) sebelum menjalankan perintah docker atau docker-compose pada host . Jika tidak, Anda akan mendapatkan ketidakcocokan sertifikat seperti yang Anda alami.

Ngomong-ngomong, Anda mungkin perlu memulai dari awal langkah yang saya uraikan di https://github.com/docker/machine/issues/1880#issuecomment -143227151 saya. Saya telah memperbarui komentar itu untuk mencerminkan perubahan di https://github.com/docker/machine/issues/1880#issuecomment -143312225 saya.

Di $ DOCKER_CERT_PATH saya, saya memiliki sertifikat baru (sepertinya begitu) yang terletak:

[~/.docker/machine/certs]$ ls
ca.pem   cert.pem key.pem

Namun, docker ps mengatakan:

[~/.docker/machine/certs]$ docker ps
An error occurred trying to connect: Get https://192.168.99.104:2376/v1.20/containers/json: x509: certificate signed by unknown authority

Saya berasumsi bahwa tangkapan layar Anda hanya untuk menampilkan detail cert.pem , bukan berarti Anda telah menambahkan salah satu dari file *.pem ke salah satu gantungan kunci OS X Anda, benar?

Ada ketidakcocokan di suatu tempat. Apa yang diberikan ini sekarang?

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem"

Jika Anda tidak mendapatkan keluaran yang terlihat seperti berikut, Anda mungkin perlu memulai kembali dari awal dengan langkah-langkah di https://github.com/docker/machine/issues/1880#issuecomment -143227151 saya.

...
---
Certificate chain
 0 s:/O=Boot2Docker
   i:/O=Boot2DockerCA
...
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2DockerCA
---
Acceptable client certificate CA names
/O=Boot2DockerCA
...

Ya, ini hanya info, saya belum menambahkannya ke gantungan kunci. Tapi mereka ada di DOCKER_CERT_PATH saya.

Namun, saya masih memiliki:

Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov

dan lain-lain, akan mencoba memulai lagi, terima kasih atas bantuannya!

Saya mengalami masalah yang sama. Saya telah mengikuti langkah-langkah yang tercantum di atas dan memiliki sertifikat bertanda tangan berikut:

+ openssl x509 -in /Users/cschmid/.docker/machine/certs/ca.pem -text
+ grep -E '^ +(Issuer|Subject): '
        Issuer: O=Boot2DockerCA
        Subject: O=Boot2DockerCA
+ openssl x509 -in /Users/cschmid/.docker/machine/certs/cert.pem -text
+ grep -E '^ +(Issuer|Subject): '
        Issuer: O=Boot2DockerCA
        Subject: O=Boot2Docker

Tetapi ketika saya mencoba menjalankan docker-compose, saya terus mendapatkan error

Chriss-MacBook-Pro:docker cschmid$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
Chriss-MacBook-Pro:docker cschmid$ docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Saya menjalankan docker-compose 1.4.2, docker 1.8.2 dan telah menginstal openssl v1.0.1j_1.

@cischmidt , apa yang diberikan ini (di env yang sama)?

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null

Respons kesalahan, tetapi mungkin karena saya harus terhubung ke docker melalui localhost karena klien Cisco VPN saya:

Chriss-MacBook-Pro:docker cschmid$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null
CONNECTED(00000003)
50891:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:

Variabel lingkungan buruh pelabuhan saya adalah:

DOCKER_HOST=tcp://127.0.0.1:2376
DOCKER_MACHINE_NAME=default
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/Users/cschmid/.docker/machine/certs

@cischmidt , Anda menggunakan OS X, benar? Saya tidak mengerti setelan DOCKER_HOST . :bingung:

Saya menggunakan Mac OS X. Saya melakukan port-forward dari VM virtualbox saya ke localhost: 2376 untuk mengatasi masalah perutean yang diperkenalkan VPN setiap kali saya menyambungkannya. Perintah terkait Docker bekerja dengan baik menggunakan konfigurasi ini, dan saya ingat menggunakan docker-compose beberapa bulan yang lalu tanpa masalah (hari ini adalah hari pertama untuk beberapa waktu saya mulai menggunakan docker-compose lagi).

@cischmidt , hanya untuk mengonfirmasi, localhost:2376 menunjuk ke VM docker-machine berjalan di mesin lokal Anda? Apakah Anda docker-machine VM boot2docker (misalnya, berjalan di VirtualBox)?

@PavelPolyakov dan @cischmidt , dapatkah Anda melakukan hal berikut setelah menjalankan langkah-langkah di atas di https://github.com/docker/machine/issues/1880#issuecomment -143227151 saya? Tidak perlu menjalankan langkah-langkah itu lagi jika Anda masih berada di lingkungan yang sama dan mesin masih menyala.

% docker-machine ssh [machine-name]
docker<strong i="15">@boot2docker</strong>:~$ export DOCKER_CERT_PATH="${HOME}/.docker" DOCKER_TLS_VERIFY=1 DOCKER_HOST=tcp://127.0.0.1:2376
docker<strong i="16">@boot2docker</strong>:~$ docker ps
...
docker<strong i="17">@boot2docker</strong>:~$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null
...
docker<strong i="18">@boot2docker</strong>:~$ exit

@ehazlett , apakah docker-machine melakukan semacam proxy SSL atau sihir terowongan dengan boot2docker ?

@cischmidt , hanya untuk mengonfirmasi, localhost: 2376 menunjuk ke VM mesin galangan Anda yang berjalan di mesin lokal Anda? Apakah VM boot2docker mesin galangan Anda (misalnya, berjalan di VirtualBox)?

Ya itu benar. Saya menjalankan docker-machine terhadap VM boot2docker dalam VirtualBox. Ini juga merupakan VM yang dikonversi yang dibuat oleh versi Mac lama dari boot2docker untuk saya.

Chriss-MacBook-Pro:docker cschmid$ docker-machine ssh default
...
Boot2Docker version 1.8.1, build master : 7f12e95 - Thu Aug 13 03:24:56 UTC 2015
Docker version 1.8.1, build d12ea79
docker<strong i="10">@default</strong>:~$ export DOCKER_CERT_PATH="${HOME}/.docker" DOCKER_TLS_VERIFY=1 DOCKER_HOST=tcp://127.0.0.1:2376
docker<strong i="11">@default</strong>:~$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
docker<strong i="12">@default</strong>:~$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null 
CONNECTED(00000003)
depth=1 O = Boot2DockerCA
verify return:1
depth=0 O = Boot2Docker
verify return:1
139887085803152:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1197:SSL alert number 42
139887085803152:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/O=Boot2Docker
   i:/O=Boot2DockerCA
-----BEGIN CERTIFICATE-----
MIIC9TCCAd+gAwIBAgIRAKmIA6DlGQTnpVHJLetbUvAwCwYJKoZIhvcNAQELMBgx
FjAUBgNVBAoTDUJvb3QyRG9ja2VyQ0EwHhcNMTUwOTI1MDM1NDEyWhcNMTYwOTI0
MDM1NDEyWjAWMRQwEgYDVQQKEwtCb290MkRvY2tlcjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMZBiSJRdlzGCozwZAswmKl14ZvMoP7AnK7E5+mba3Xi
NRNjaIBP7YN7s2N121chvoKO0NmMM+h5AyCH6OU7R2HXOLNmZZu5O7bzQ7/sishm
NIdi625zw/alaHieikx2YSK4e6ZXuj+ws/CcoNpTHatSZnEl6uUCZHMkNJWmGYMQ
tWqyRFkm84N7yTtTzNgIaWC530TKDvGRoTl3y/VPG8DnHeMSHKc4xTKeoVTvjaDM
jDXr83/sFfmodfoavAQKVpXoWb+ZcjA1Ma/u96AMW9g0vbnxFfzTr1BwhGxGVwzY
eqiIKhz7YDdq4INJbPsRQ/q8TR86Tp5qPaRQLQLMdVMCAwEAAaNAMD4wDgYDVR0P
AQH/BAQDAgCgMAwGA1UdEwEB/wQCMAAwHgYDVR0RBBcwFYIHZGVmYXVsdIcEfwAA
AYcECgACDzALBgkqhkiG9w0BAQsDggEBAHRHV0jFr1duyxIE7O4rM++0yO6O+o/P
b6cs+mqp8dvURCOZBC8usNWJGX+t7k3qMiri0qsE2fBJ9WaIRjGdUNjOrMU4ds9d
Bk+BYkTZ1syoE+NoMXmE6fB+aPpqUH2HG5gKS1o8uHyTqXYrkb8mk8AtTomEEwPX
aTyCbR4uQaEDngwsFp/HDJA2LgkWcPyVW+pe2p2n75mHzyYooePp/KTHKMNzmpa3
nt9W4O7XKHn1gGHLTH3LLJBqGlBviNNPT72eE1K44H1ptUO0T/gRZuWvWme3/1dv
rOWT5HqmxSbhj3RG5reWRYp+shO14JH2VM5Ena/xMVZzkudLrl18pGw=
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2DockerCA
---
Acceptable client certificate CA names
/O=Boot2DockerCA
---
SSL handshake has read 1228 bytes and written 146 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 30F5D5CD8276F7BAADE68E164251359B9D7D8531BA9FF288D2BAF998AF651B161C094D17A2BF9657B03B30278A7FF07F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1443159065
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

@cischmidt , boot2docker memiliki sertifikat yang benar (yaitu, sertifikat yang dihasilkan oleh proses default di boot2docker , dan _not _ yang dihasilkan oleh docker-machine ). Dengan asumsi itu cocok dengan sertifikat Anda di host Anda (Anda dapat memeriksanya dengan openssl x509 -in "${DOCKER_CERT_PATH}/cert.pem" -text dan openssl x509 -in "${DOCKER_CERT_PATH}/ca.pem" -text ), maka ada hal lain yang terjadi, mungkin dengan perutean VPN Anda atau sesuatu. Anda juga mendapatkan kesalahan yang berbeda dari @PavelPolyakov yang membuat saya percaya bahwa masalah Anda adalah masalah yang berbeda dari yang dijelaskan di sini.

@posita

Untuk beberapa alasan, aliran yang dijelaskan oleh Anda, tidak mengarahkan saya ke sertifikat yang benar:

Boot2Docker version 1.8.2, build master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
Docker version 1.8.2, build 0a8c2e3
docker<strong i="8">@default</strong>:~$ rm -fv ~docker/.docker/*
removed '/home/docker/.docker/ca.pem'
removed '/home/docker/.docker/cert.pem'
removed '/home/docker/.docker/key.pem'
docker<strong i="9">@default</strong>:~$ sudo -i
Boot2Docker version 1.8.2, build master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
Docker version 1.8.2, build 0a8c2e3
root<strong i="10">@default</strong>:~# cat /var/lib/boot2docker/profile

EXTRA_ARGS='
--label provider=virtualbox

'
CACERT=/var/lib/boot2docker/ca.pem
DOCKER_HOST='-H tcp://0.0.0.0:2376'
DOCKER_STORAGE=aufs
DOCKER_TLS=auto
SERVERKEY=/var/lib/boot2docker/server-key.pem
SERVERCERT=/var/lib/boot2docker/server.pem


root<strong i="11">@default</strong>:~# rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*
removed '/var/lib/boot2docker/ca.pem'
removed '/var/lib/boot2docker/server-key.pem'
removed '/var/lib/boot2docker/server.pem'
removed '/var/lib/boot2docker/tls/cakey.pem'
removed '/var/lib/boot2docker/tls/cert.pem'
removed '/var/lib/boot2docker/tls/hostnames'
removed '/var/lib/boot2docker/tls/key.pem'
root<strong i="12">@default</strong>:~# /usr/local/etc/init.d/docker restart
Need TLS certs for default,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
Generating CA cert
2015/09/25 20:27:04 Generating a new certificate authority.
rm: can't remove '/var/lib/boot2docker/server.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/server-key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/cert.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls//hostnames': No such file or directory
Generate server cert
/usr/local/bin/generate_cert --host=default,127.0.0.1,10.0.2.15,192.168.99.104 --ca=/var/lib/boot2docker/ca.pem --ca-key=/var/lib/boot2docker/tls/cakey.pem --cert=/var/lib/boot2docker/server.pem --key=/var/lib/boot2docker/server-key.pem --org=Boot2Docker
2015/09/25 20:27:04 Generating a server cert
Generating client cert
2015/09/25 20:27:06 no --host parameters, making a client cert
root<strong i="13">@default</strong>:~# exit
docker<strong i="14">@default</strong>:~$ exit
[~]$ rm -v "${DOCKER_CERT_PATH}"/*.pem
/Users/PavelPolyakov/.docker/machine/certs/ca.pem
/Users/PavelPolyakov/.docker/machine/certs/cert.pem
/Users/PavelPolyakov/.docker/machine/certs/key.pem
[~]$ docker-machine scp default:/home/docker/.docker/\*.pem "${DOCKER_CERT_PATH}"
ca.pem                                        100% 1050     1.0KB/s   00:00
cert.pem                                      100% 1070     1.0KB/s   00:00
key.pem                                       100% 1679     1.6KB/s   00:00
[~]$ docker ps
An error occurred trying to connect: Get https://192.168.99.104:2376/v1.20/containers/json: x509: certificate signed by unknown authority

info tertentu:

[~]$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
CONNECTED(00000003)
depth=0 O = default
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = default
verify error:num=21:unable to verify the first certificate
verify return:1
140735289209680:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1472:SSL alert number 42
140735289209680:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov
-----BEGIN CERTIFICATE-----
MIIDADCCAeqgAwIBAgIQR4h88WLsll8AkYK6MIeEMTALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNUGF2ZWxQb2x5YWtvdjAeFw0xNTA5MjMxNjMwMDBaFw0xODA5MDcx
NjMwMDBaMBIxEDAOBgNVBAoTB2RlZmF1bHQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7MYqKigy4aJCPiaCQrOKypICUYbIvLYtHKCYG7d9d274MuYWf
dH7mMKTTu8M3GOrAzUj+tvHDAHIZgV0nDMz5qwEkYI2JD7N7hcHQ91JUPJVVpV3e
v2v4hzFra8KB/9h4grjTwAnMLLJNNcWUwu8JPvy3xRmBjpl8UIVY1+VLYwiLodfS
7bWBdqYy2E0sxoJjgtNVPWgxkOloApOrQhq0t/HcyXv0mA3hVPG+9J1r5Mxqs0nY
/qIMKGpywhTGqsWfDnBe22Bf2tFHagDN0frLRrIrF8HT8Xggwawz9pN4RpRWUrI0
lAsgxznXZR1xnvffbxmdy2P94BX1UHqzVy/dAgMBAAGjUDBOMA4GA1UdDwEB/wQE
AwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
ADAPBgNVHREECDAGhwTAqGNoMAsGCSqGSIb3DQEBCwOCAQEAYoGQ5x3wXGVxZey9
dcxyVnBkYSZiInVIeI+bdsKtxKUv7HoXRW1iLyKSeNq8BGQzpfaEPkDtfblcEctz
U0Oj7jS4MlrdzGK1A75Bl8Bo1VDpu146M8cp/Wa09tjmrJktMrVOVZVQteDCPmZo
RIgaHWH0gRJPOy2SCTvLhmyZTK0bO2YKpgvjf2f7NMw6GBJi1hgcZuw3wDjVutjS
2hOWh2HeVyguu1na+YTpZ0csH+MSrKt79ulBpZ3SlYiG5pDFJ5Bjf74OpL0KW30Z
sBA51T1y3Xfyohb27XT28mJLa5Q1cH1PTnComd4K9AlVy7zY0u/MlDN8kaZb0ggX
pqpv2Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=default
issuer=/O=PavelPolyakov
---
Acceptable client certificate CA names
/O=PavelPolyakov
Client Certificate Types: RSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1239 bytes and written 1903 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 33C6C897C3CAFCE41E0BC24728616B2C26DD94D50F25D5D5A730BBE84A72E72355A9C05E41AD60524462FB27FE34FF00
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1443212895
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Jalur sudah benar:

[~]$ echo $DOCKER_CERT_PATH
/Users/PavelPolyakov/.docker/machine/certs

@PavelPolyakov , apa yang Anda dapatkan saat melakukan langkah-langkah dari https://github.com/docker/machine/issues/1880#issuecomment -143338960 saya (yaitu, memeriksa sertifikat di sisi boot2docker )?

@posita
Maaf, saya melewatkannya, saya pikir Anda merujuk ke komentar lain.

Ini topi yang saya dapat:

docker<strong i="8">@default</strong>:~$ export DOCKER_CERT_PATH="${HOME}/.docker" DOCKER_TLS_VERIFY=1
DOCKER_HOST=tcp://127.0.0.1:2376
docker<strong i="9">@default</strong>:~$ docker ps
An error occurred trying to connect: Get https://127.0.0.1:2376/v1.20/containers/json: x509: certificate is valid for 192.168.99.104, not 127.0.0.1
docker<strong i="10">@default</strong>:~$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}"
 -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key
> .pem" </dev/null
Error opening client certificate private key file /home/docker/.docker/key
.pem
140684102092432:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('/home/docker/.docker/key
.pem','r')
140684102092432:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:
unable to load client certificate private key file

Terima kasih @posita , adakah cara untuk mendapatkan informasi tambahan tentang titik di mana kesalahan 'Kesalahan SSL: [SSL: CERTIFICATE_VERIFY_FAILED] verifikasi sertifikat gagal (_ssl.c: 581)' terjadi dalam proses ketika saya memanggil pembuat galat-galangan? Saya senang membuka tiket baru untuk menjelajahi apa yang terjadi di mesin saya, tetapi saya tidak tahu informasi tambahan apa yang dapat saya berikan untuk membedakan apa yang terjadi pada saya vs orang lain.

@PavelPolyakov , periksa perintah Anda dan baca output kesalahan Anda dengan lebih cermat. Sepertinya ada kesalahan salin / tempel.

@posita
Anda benar lagi, maaf saya tidak cukup berhati-hati, ini lognya:

docker<strong i="7">@default</strong>:~$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}"
 -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/
null
CONNECTED(00000003)
depth=0 O = default
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = default
verify error:num=21:unable to verify the first certificate
verify return:1
139747887232656:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1472:SSL alert number 42
139747887232656:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov
-----BEGIN CERTIFICATE-----
MIIDADCCAeqgAwIBAgIQR4h88WLsll8AkYK6MIeEMTALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNUGF2ZWxQb2x5YWtvdjAeFw0xNTA5MjMxNjMwMDBaFw0xODA5MDcx
NjMwMDBaMBIxEDAOBgNVBAoTB2RlZmF1bHQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7MYqKigy4aJCPiaCQrOKypICUYbIvLYtHKCYG7d9d274MuYWf
dH7mMKTTu8M3GOrAzUj+tvHDAHIZgV0nDMz5qwEkYI2JD7N7hcHQ91JUPJVVpV3e
v2v4hzFra8KB/9h4grjTwAnMLLJNNcWUwu8JPvy3xRmBjpl8UIVY1+VLYwiLodfS
7bWBdqYy2E0sxoJjgtNVPWgxkOloApOrQhq0t/HcyXv0mA3hVPG+9J1r5Mxqs0nY
/qIMKGpywhTGqsWfDnBe22Bf2tFHagDN0frLRrIrF8HT8Xggwawz9pN4RpRWUrI0
lAsgxznXZR1xnvffbxmdy2P94BX1UHqzVy/dAgMBAAGjUDBOMA4GA1UdDwEB/wQE
AwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
ADAPBgNVHREECDAGhwTAqGNoMAsGCSqGSIb3DQEBCwOCAQEAYoGQ5x3wXGVxZey9
dcxyVnBkYSZiInVIeI+bdsKtxKUv7HoXRW1iLyKSeNq8BGQzpfaEPkDtfblcEctz
U0Oj7jS4MlrdzGK1A75Bl8Bo1VDpu146M8cp/Wa09tjmrJktMrVOVZVQteDCPmZo
RIgaHWH0gRJPOy2SCTvLhmyZTK0bO2YKpgvjf2f7NMw6GBJi1hgcZuw3wDjVutjS
2hOWh2HeVyguu1na+YTpZ0csH+MSrKt79ulBpZ3SlYiG5pDFJ5Bjf74OpL0KW30Z
sBA51T1y3Xfyohb27XT28mJLa5Q1cH1PTnComd4K9AlVy7zY0u/MlDN8kaZb0ggX
pqpv2Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=default
issuer=/O=PavelPolyakov
---
Acceptable client certificate CA names
/O=PavelPolyakov
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256
Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1247 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: 3C14268CC4FE8700076CAFC6E11AD067C1B691F18B7CD339898E785EBF922DBE787EF82557D13CA82AEEEF29363D4F4F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1443214121
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

@cischmidt , untuk

( set -x ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -tls1 -CAfile "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null )

Ini diperkirakan akan error (Anda belum memberikan argumen -cert ), tetapi Anda akan melihat sesuatu seperti ini di akhir output:

SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: ...
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Itu berarti klien Anda telah memverifikasi bahwa sertifikat server baik. Jika Anda ingin memeriksa apakah sertifikat Anda benar-benar berfungsi, cukup melakukan docker ps cukup. Sebagai alternatif, Anda dapat melakukan:

( set -x ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -tls1 -CAfile "${DOCKER_CERT_PATH}/ca.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null )

Dan Anda akan melihat hex dump dari koneksi, tetapi saya menemukan docker ps lebih mudah dilihat. : lelah_muka:

@PavelPolyakov , lihat subjek dan penerbit sertifikat tersebut. Mereka _not _ certs yang dihasilkan oleh boot2docker . Saya menduga entah bagaimana docker-machine menimpa mereka. Apakah Anda memulai ulang mesin Anda kapan saja?

@ehazlett , pada titik manakah docker-machine campur tangan dan (kembali) membuat sertifikat pada boot2docker ?

Tidak, saya belum, saya melihat bahwa subjeknya bukanlah yang kita cari, tetapi ...

Jika saya memahami Anda dengan benar, maka, saat kami:

1. menghapus sertifikat yang ada di mesin buruh pelabuhan
2. restart buruh pelabuhan di sana
   ...
3. kita harus menerima sertifikat yang benar yang dihasilkan oleh boot2docker

Tetapi bahkan setelah dua perintah itu:

root<strong i="13">@default</strong>:~# rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*
removed '/var/lib/boot2docker/ca.pem'
removed '/var/lib/boot2docker/server-key.pem'
removed '/var/lib/boot2docker/server.pem'
removed '/var/lib/boot2docker/tls/cakey.pem'
removed '/var/lib/boot2docker/tls/cert.pem'
removed '/var/lib/boot2docker/tls/hostnames'
removed '/var/lib/boot2docker/tls/key.pem'
root<strong i="14">@default</strong>:~# /usr/local/etc/init.d/docker restart
Need TLS certs for default,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
Generating CA cert
2015/09/25 20:58:36 Generating a new certificate authority.
rm: can't remove '/var/lib/boot2docker/server.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/server-key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/cert.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls//hostnames': No such file or directory
Generate server cert
/usr/local/bin/generate_cert --host=default,127.0.0.1,10.0.2.15,192.168.99.104 --ca=/var/lib/boot2docker/ca.pem --ca-key=/var/lib/boot2docker/tls/cakey.pem --cert=/var/lib/boot2docker/server.pem --key=/var/lib/boot2docker/server-key.pem --org=Boot2Docker
2015/09/25 20:58:37 Generating a server cert
Generating client cert
2015/09/25 20:58:39 no --host parameters, making a client cert

Sertifikat tidak benar:

docker<strong i="18">@default</strong>:~$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}"
 -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/
null
...
Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov
...

Namun, sertifikat yang sebenarnya adalah yang baru dan baru, baru saja dibuat:

docker<strong i="22">@default</strong>:~/.docker$ ls -al
total 12
drwx------    2 docker   staff          100 Sep 25 20:58 ./
drwxr-sr-x    5 docker   staff          180 Sep 25 18:03 ../
-rw-r--r--    1 docker   staff         1050 Sep 25 20:58 ca.pem
-rw-r--r--    1 docker   staff         1070 Sep 25 20:58 cert.pem
-rw-------    1 docker   staff         1675 Sep 25 20:58 key.pem
docker<strong i="23">@default</strong>:~/.docker$ date
Fri Sep 25 21:02:23 UTC 2015
docker<strong i="24">@default</strong>:~/.docker$

@PavelPolyakov , Anda mengerti. Saya _ berharap_ kami dapat (dengan tangan) mengganti apa yang saya curigai adalah sertifikat yang dibuat docker-machine dengan sertifikat yang dibuat boot2docker . Jika _worked_ itu (yaitu, memecahkan kesalahan sertifikat Anda), itu akan memvalidasi teori saya tentang masalah docker-machine subjek / penerbit.

Sayangnya, tampaknya docker-machine bahkan tidak akan membiarkan kami sejauh itu. : confounded: Dengan kata lain, teori saya masih bagus, tetapi kita tidak bisa memverifikasi dengan cara ini.

Ada satu hal lagi yang bisa kita coba, daripada melakukan /usr/local/etc/init.d/docker restart , kita bisa mencoba:

root<strong i="14">@default</strong>:~# rm -fv ~docker/.docker/*.pem /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*
...
root<strong i="15">@default</strong>:~# /usr/local/etc/init.d/docker stop
...
root<strong i="16">@default</strong>:~# ps aux | grep -i docker # make sure all the docker processes are dead; kill them by hand if necessary
...
root<strong i="17">@default</strong>:~# /usr/local/etc/init.d/docker start
...
root<strong i="18">@default</strong>:~# export DOCKER_CERT_PATH=/home/docker/.docker DOCKER_TLS_VERIFY=1 DOCKER_HOST=tcp://127.0.0.1:2376
root<strong i="19">@default</strong>:~# docker ps
...
root<strong i="20">@default</strong>:~# openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null
...

Mudah-mudahan Anda memiliki sertifikat yang benar pada saat itu (Anda pernah memilikinya sebelumnya , saya tidak tahu mengapa Anda tidak dapat mereproduksinya secara tiba-tiba). Maka jangan keluar dari shell root Anda. Periksa stempel waktu sertifikat Anda:

root<strong i="25">@default</strong>:~# ls -al ~docker/.docker/*.pem /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*.pem
...

Dari shell _another _ di host, lakukan:

% eval $( docker-machine env [machine-name] )
% docker ps
...

Jika gagal, periksa kembali stempel waktu sertifikat Anda di shell root boot2docker yang Anda biarkan terbuka. Jika tidak cocok, maka docker-machine akan menulis ulang di beberapa titik. Jika mereka _do _ cocok, sesuatu yang lain sedang terjadi dengan pengaturan Anda yang tidak diperhitungkan, dan saya menyerah. :kecewa:

Masalahnya, setiap kali kami membuat sertifikat, sertifikat itu bagus dan berasal dari boot2docker (seperti yang saya tunjukkan di tangkapan layar).

Namun perintah khusus ini:

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null

menunjukkan sertifikat dengan nama saya di subjek.

Selain itu, saat saya melakukannya:

root<strong i="11">@default</strong>:~# docker ps
An error occurred trying to connect: Get https://127.0.0.1:2376/v1.20/containers/json: x509: certificate is valid for 192.168.99.104, not 127.0.0.1

Apakah masuk akal - perbedaan IP ini?

Terima kasih banyak atas semua waktu yang Anda habiskan untuk mencoba menyelesaikan masalah saya! Saya sangat menghargai!

Salam,

@PavelPolyakov , tidak masalah. Anda membantu saya memvalidasi teori (meskipun perlahan). :mengedipkan:

Namun perintah khusus ini:

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null

menunjukkan sertifikat dengan nama saya di subjek.

Artinya ketika Anda menjalankannya dari sisi host (di OS X), atau keduanya di host dan dari dalam VM? Ya, inilah yang membuatku gila. Saya tidak tahu mengapa ini terjadi jika semua langkah dijalankan seperti yang ditentukan. Di masa mendatang, coba ini sebagai gantinya (setidaknya akan memberikan beberapa informasi tambahan):

( set -x ; openssl x509 -in "${DOCKER_CERT_PATH}/cert.pem" -text ; openssl x509 -in "${DOCKER_CERT_PATH}/ca.pem" -text ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null )

Selain itu, saat saya melakukannya:

root<strong i="17">@default</strong>:~# docker ps
An error occurred trying to connect: Get https://127.0.0.1:2376/v1.20/containers/json: x509: certificate is valid for 192.168.99.104, not 127.0.0.1

Apakah masuk akal - perbedaan IP ini?

Ah iya. Coba ini (gantikan [www.xxx.yyy.zzz] dengan alamat IP VM Anda, yaitu 192.168.99.104 pada komentar terakhir Anda, tetapi ifconfig seharusnya tersedia dari dalam boot2docker jika diperlukan):

root<strong i="26">@default</strong>:~# DOCKER_HOST=[www.xxx.yyy.zzz]:2376 docker ps

Tarian apa pun membantu sejauh ini :)

Hal menarik lainnya (atau tidak), bahwa saya memiliki dua lokasi dengan sertifikat:

1. /Users/PavelPolyakov/.docker/machine/certs/
2. /Users/PavelPolyakov/.docker/machine/machines/default

Hal menarik lainnya, adalah, bahkan setelah instalasi bersih dari mesin buruh pelabuhan (tanpa manipulasi apa pun, yang dijelaskan di atas), ketika saya melakukan hal berikutnya (pada mesin buruh pelabuhan):

docker<strong i="13">@default</strong>:~$ export DOCKER_CERT_PATH="${HOME}/.docker" DOCKER_TLS_VERIFY=1 DOCKER_HOST=tcp://192.168.99.1
06:2376
docker<strong i="14">@default</strong>:~$ docker ps
The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: Get https://192.168.99.106:2376/v1.20/containers/json: remote error: bad certificate

Saya masih memiliki masalah dengan sertifikat.

Dan ketiga, setelah sertifikat dihapus dan dibuat ulang (saat restart).
Saya memiliki tiga sertifikat di sini /home/docker/.docker .

1. ca.pem - Penerbit: O = Boot2DockerCA
2. cert.pem - Penerbit: O = Boot2DockerCA
3. key.pem

root<strong i="28">@default</strong>:/home/docker/.docker# openssl x509 -noout -in key.pem  -text
unable to load certificate
140604952614544:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

Sepertinya ada yang salah dengannya, perintah yang sama berfungsi untuk dua sertifikat pertama.

@PavelPolyakov , sertifikat di /home/docker/.docker pada instance VM dihasilkan oleh boot2docker . Sertifikat tersebut disalin ke direktori itu sebagai bagian dari boot2docker s proses pembuatan (ulang) sertifikat default. Jika docker-machine kemudian membuat sertifikat _new_ untuk Docker, tebakan saya adalah tidak menghapus sertifikat di /home/docker/.docker , yang kemungkinan sudah basi, itulah mengapa Anda mendapatkan kesalahan saat memanggil docker ps pada instance VM.

Juga, openssl x509 -noout -in key.pem -text tidak akan berfungsi. Tidak ada data X509 di key.pem . Itu kunci pribadi. openssl x509 -noout -in cert.pem -text atau openssl x509 -noout -in key.pem -text seharusnya berfungsi.

Saya tidak cukup tahu tentang docker-machine untuk mengetahui mengapa ia memelihara dua jalur sertifikat terpisah (yaitu, ~/.docker/machine/certs dan ~/.docker/machine/machines/[machine-name] ). Namun demikian, berdasarkan komentar Anda sebelumnya, terlepas dari sertifikat _client_ apa yang ada pada host, sertifikat _server_ instance VM sedang ditulis ulang oleh docker-machine , bahkan setelah seseorang mencoba menginstalnya secara manual (dalam kasus kami, melalui boot2docker proses pembuatan sertifikat sendiri). (Jika kita tidak bisa melewatinya, tidak masalah sertifikat apa yang ada di sisi klien dan di mana.)

Seluruh tujuan saya dengan eksperimen ini adalah mencoba mendapatkan sertifikat _server_ pada instance VM yang subjeknya tidak sama dengan subjek penerbitnya untuk melihat apakah itu penyebab error yang mendorong Anda untuk mengajukan masalah ini. Sayangnya, itu terbukti sangat sulit.

Jalur yang lebih mudah pada titik ini mungkin jika seseorang yang berpengetahuan luas di Go melihat docker-machine sources, menemukan di mana ia melakukan keajaiban pembuatan sertifikatnya sendiri, menyesuaikannya untuk memastikan bahwa subjek di ca.pem berbeda dari subjek dalam sertifikat yang ditandatangani (mis., ca.pem , server.pem , dll.), dan buatlah build yang dapat Anda uji.

@ehazlett , rekomendasi?

@PavelPolyakov , saya harus tidur: lelah_face :, tapi coba build ini ¹ . Simpan sebagai docker-machine_darwin-amd64 dan pastikan memiliki izin yang dapat dijalankan. MISALNYA:

% curl >~/Desktop/docker-machine_darwin-amd64 --location 'https://www.dropbox.com/s/2leyxf2sy6k0i9o/docker-machine_darwin-amd64'
...
% openssl dgst -r -sha256 ~/Desktop/docker-machine_darwin-amd64
cf3f82323b5f5f3556b0286c2ea3edb51ffe1bccd5fbeecddd59f591486f2089 */.../Desktop/docker-machine_darwin-amd64
% chmod +x ~/Desktop/docker-machine_darwin-amd64
% ~/Desktop/docker-machine_darwin-amd64 create --driver virtualbox fubar
...
% eval $( ~/Desktop/docker-machine_darwin-amd64 env fubar )
% docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

¹ SHA-256 checksum: cf3f82323b5f5f3556b0286c2ea3edb51ffe1bccd5fbeecddd59f591486f2089 .

@posita

Tolong, tidurlah :)

Memasang mesin:

[~]$ curl >~/Desktop/docker-machine_darwin-amd64 --location 'https://www.dropbox.com/s/2leyxf2sy6k0i9o/docker-machine_darwin-amd64'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   486    0   486    0     0    269      0 --:--:--  0:00:01 --:--:--   269
100 12.7M  100 12.7M    0     0  1153k      0  0:00:11  0:00:11 --:--:-- 2555k
[~]$ openssl dgst -r -sha256 ~/Desktop/docker-machine_darwin-amd64
cf3f82323b5f5f3556b0286c2ea3edb51ffe1bccd5fbeecddd59f591486f2089 */Users/PavelPolyakov/Desktop/docker-machine_darwin-amd64
[~]$ chmod +x ~/Desktop/docker-machine_darwin-amd64
[~]$ ~/Desktop/docker-machine_darwin-amd64 create --driver virtualbox fubar
Running pre-create checks...
Creating machine...
Creating VirtualBox VM...
Creating SSH key...
Starting VirtualBox VM...
Starting VM...
Waiting for machine to be running, this may take a few minutes...
Machine is running, waiting for SSH to be available...
Detecting operating system of created instance...
Provisioning created instance...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
To see how to connect Docker to this machine, run: /Users/PavelPolyakov/Desktop/docker-machine_darwin-amd64 env fubar
[~]$ eval $( ~/Desktop/docker-machine_darwin-amd64 env fubar )
[~]$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Berada di mesin saya memiliki yang berikutnya:

docker<strong i="12">@fubar</strong>:~$ export DOCKER_CERT_PATH="${HOME}/.docker" DOCKER_TLS_VERIFY=1 DOCKER_HOST=tcp://127.0.0.1
docker<strong i="13">@fubar</strong>:~$ ( set -x ; openssl x509 -in "${DOCKER_CERT_PATH}/cert.pem" -text ; openssl x509 -in "${DOCKER_
CERT_PATH}/ca.pem" -text ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_C
ERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null )
+ openssl x509 -in /home/docker/.docker/cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:59:69:9a:b9:cb:c7:fa:b2:23:00:23:22:3a:fc:c2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Boot2DockerCA
        Validity
            Not Before: Sep 26 09:57:59 2015 GMT
            Not After : Sep 25 09:57:59 2016 GMT
        Subject: O=Boot2Docker
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:e8:2f:36:48:54:2b:a3:19:96:e3:8a:d5:b4:
                    53:dc:e5:40:43:45:5a:a2:80:89:d5:49:5a:3d:cd:
                    42:f5:8d:f4:61:19:41:ec:22:af:24:59:da:07:be:
                    46:f7:79:1d:b9:b7:c4:09:02:5e:7b:f7:6b:eb:bd:
                    0c:0e:db:d9:24:da:11:7a:bf:96:2c:ac:3c:05:d1:
                    35:48:6e:86:ad:d0:25:34:3e:1d:30:34:d3:51:df:
                    be:b9:b6:c4:89:19:96:63:e4:10:ae:59:90:e7:a9:
                    3c:f3:9e:9a:a0:79:3a:9d:d9:46:b1:d5:a2:58:b2:
                    ae:84:4b:78:70:f6:54:a0:9d:67:7d:61:91:fb:1b:
                    9b:a7:f7:6a:ca:b6:f9:f2:23:05:d4:1c:e5:8f:1d:
                    ff:00:88:2f:b5:ee:a4:68:5c:37:11:7c:6b:c6:0d:
                    24:70:e2:4e:1b:62:4f:e9:5d:80:d9:02:0c:d7:29:
                    f1:cb:ae:91:8d:81:4a:0b:6c:f5:c2:be:52:ab:13:
                    da:01:d2:a2:cc:05:17:76:97:b5:29:c2:c9:6e:34:
                    c6:47:05:cc:10:29:3e:a5:af:ec:f9:e6:56:4e:03:
                    10:96:90:42:2f:17:5b:4a:97:11:aa:73:2e:21:f4:
                    cf:55:3c:93:2a:70:5a:ce:77:55:19:8e:fd:6e:51:
                    1c:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         4a:53:4d:0a:ff:bd:fc:b7:c3:c6:50:55:48:85:9c:1a:4d:4f:
         07:9c:86:bb:d4:58:a4:34:3b:7a:fc:18:16:c6:9e:21:2c:41:
         8b:f9:8e:ab:3a:de:09:a0:b7:a5:0e:46:25:4e:5e:c4:47:13:
         13:6f:0c:94:1a:9b:bb:86:91:e2:65:f8:c0:08:e4:44:6f:ac:
         c2:42:21:54:94:7e:1c:7a:e5:70:e1:f2:00:ac:57:ae:b4:ed:
         d9:d2:c4:ce:0d:07:7d:5d:83:0e:17:ef:98:48:ed:29:0d:6b:
         d6:9e:c5:14:dd:03:f3:91:eb:4d:b9:07:fe:4a:7e:72:80:f4:
         06:b6:36:0e:d9:c7:31:a3:f8:c3:c7:d2:1e:93:ea:ae:93:f1:
         75:ac:0d:13:2f:57:b1:3a:58:26:7f:bd:fb:b6:71:b3:60:c9:
         7d:98:68:46:81:6b:8f:a8:45:67:06:d1:ec:8d:90:be:36:bb:
         0b:94:56:70:b1:45:c0:82:05:6c:b1:9f:cb:18:6d:a0:e4:07:
         53:c4:14:19:02:2e:04:5e:27:b4:51:3b:ae:ef:2c:56:31:40:
         b1:b1:3c:7f:2e:73:96:0a:13:53:51:ae:5b:a3:5a:91:7c:a9:
         ee:3f:1e:c8:03:e8:30:59:07:83:4c:69:51:79:13:c2:d0:31:
         d0:04:9e:83
-----BEGIN CERTIFICATE-----
MIIC6TCCAdOgAwIBAgIQWllpmrnLx/qyIwAjIjr8wjALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNQm9vdDJEb2NrZXJDQTAeFw0xNTA5MjYwOTU3NTlaFw0xNjA5MjUw
OTU3NTlaMBYxFDASBgNVBAoTC0Jvb3QyRG9ja2VyMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAregvNkhUK6MZluOK1bRT3OVAQ0VaooCJ1UlaPc1C9Y30
YRlB7CKvJFnaB75G93kdubfECQJee/dr670MDtvZJNoRer+WLKw8BdE1SG6GrdAl
ND4dMDTTUd++ubbEiRmWY+QQrlmQ56k8856aoHk6ndlGsdWiWLKuhEt4cPZUoJ1n
fWGR+xubp/dqyrb58iMF1Bzljx3/AIgvte6kaFw3EXxrxg0kcOJOG2JP6V2A2QIM
1ynxy66RjYFKC2z1wr5SqxPaAdKizAUXdpe1KcLJbjTGRwXMECk+pa/s+eZWTgMQ
lpBCLxdbSpcRqnMuIfTPVTyTKnBazndVGY79blEcPQIDAQABozUwMzAOBgNVHQ8B
Af8EBAMCAIAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADALBgkq
hkiG9w0BAQsDggEBAEpTTQr/vfy3w8ZQVUiFnBpNTwechrvUWKQ0O3r8GBbGniEs
QYv5jqs63gmgt6UORiVOXsRHExNvDJQam7uGkeJl+MAI5ERvrMJCIVSUfhx65XDh
8gCsV6607dnSxM4NB31dgw4X75hI7SkNa9aexRTdA/OR6025B/5KfnKA9Aa2Ng7Z
xzGj+MPH0h6T6q6T8XWsDRMvV7E6WCZ/vfu2cbNgyX2YaEaBa4+oRWcG0eyNkL42
uwuUVnCxRcCCBWyxn8sYbaDkB1PEFBkCLgReJ7RRO67vLFYxQLGxPH8uc5YKE1NR
rlujWpF8qe4/HsgD6DBZB4NMaVF5E8LQMdAEnoM=
-----END CERTIFICATE-----
+ openssl x509 -in /home/docker/.docker/ca.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9b:4f:8c:0f:dc:b5:1d:ad:ec:54:1b:f8:73:ee:67:7a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=PavelPolyakov
        Validity
            Not Before: Sep 26 07:47:00 2015 GMT
            Not After : Sep 10 07:47:00 2018 GMT
        Subject: O=PavelPolyakov
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:3b:a8:23:92:6d:63:59:27:b7:39:e1:7d:4e:
                    93:57:e2:55:67:51:81:ed:a5:f8:5b:62:e9:e9:e8:
                    5f:31:63:10:8a:23:c8:1d:97:54:34:02:62:9a:2a:
                    b9:a1:b8:bc:94:8e:4c:55:f3:8e:00:71:d0:63:1f:
                    0d:7a:ab:30:a4:62:b7:f6:b2:f8:73:ad:6b:5d:3b:
                    60:35:a5:14:1d:a1:58:c9:e0:01:e6:03:e5:59:59:
                    f3:39:c9:4f:21:c8:86:ef:09:e8:ac:25:4b:a6:0f:
                    f1:d4:85:29:fe:d2:df:cf:95:94:f7:0f:28:00:1f:
                    c7:f8:29:37:5b:84:e1:0e:c4:88:61:c5:07:60:c8:
                    1a:a6:97:dd:5c:00:a3:af:35:21:45:8d:02:8e:9d:
                    6a:c8:81:72:9d:0b:52:4a:99:66:e4:04:96:f3:f7:
                    29:8f:b5:ed:e3:1a:2f:0c:36:24:42:69:ca:99:f6:
                    63:4c:d4:19:70:c0:3e:0c:9d:e2:25:be:79:19:ee:
                    3d:ed:27:49:f9:8f:98:8f:c1:67:74:ea:71:ea:dd:
                    21:e1:21:f3:a7:a8:35:81:5c:c4:96:2c:be:04:4f:
                    40:a3:23:e5:d1:1c:7e:f8:8b:c0:0f:81:90:4d:49:
                    e9:54:4c:13:2f:59:03:c1:12:85:fc:24:68:90:8f:
                    21:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         b7:31:60:c6:92:93:59:09:02:dd:2f:a7:de:58:40:a3:c7:32:
         dc:ba:94:99:b6:9d:df:b8:8b:f1:a0:0c:d8:dd:e8:d3:83:91:
         f8:e8:38:f0:02:8a:9f:e7:73:ec:c4:7b:9b:99:10:63:2d:60:
         17:cd:50:dd:00:ce:da:fa:33:2d:fd:f2:40:d7:44:2b:89:a3:
         b4:d3:a6:ca:49:3a:7f:1d:50:67:9b:94:e1:1c:29:33:53:04:
         f9:cc:1b:76:d3:60:33:a4:c2:e4:d0:aa:c5:e4:e9:d0:64:f4:
         39:58:00:fa:ca:1e:83:c8:9c:07:78:f6:a1:50:0b:1c:3e:e1:
         29:8a:09:ca:4b:bb:94:5b:5e:1a:f1:13:52:15:43:fe:67:08:
         cb:a5:0f:5c:50:5e:aa:10:1f:3f:ca:41:48:79:b2:f3:d4:f7:
         95:5b:ee:22:f9:22:2c:9f:c1:5a:2e:82:9b:8d:a2:32:f7:b2:
         df:5c:dd:4f:b8:4f:7e:f1:c7:de:33:73:db:8c:36:c0:40:b7:
         71:1e:5b:7f:66:e9:b1:67:a4:bb:9f:95:86:53:05:de:dd:89:
         4f:9e:8d:3b:4e:f0:25:ee:8f:f3:2a:c2:7a:0d:7a:e1:3b:9c:
         72:aa:36:22:a4:c7:27:b7:62:7f:b2:d3:a0:bf:a9:e9:db:12:
         ab:35:78:3a
-----BEGIN CERTIFICATE-----
MIIC2jCCAcSgAwIBAgIRAJtPjA/ctR2t7FQb+HPuZ3owCwYJKoZIhvcNAQELMBgx
FjAUBgNVBAoTDVBhdmVsUG9seWFrb3YwHhcNMTUwOTI2MDc0NzAwWhcNMTgwOTEw
MDc0NzAwWjAYMRYwFAYDVQQKEw1QYXZlbFBvbHlha292MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA4zuoI5JtY1kntznhfU6TV+JVZ1GB7aX4W2Lp6ehf
MWMQiiPIHZdUNAJimiq5obi8lI5MVfOOAHHQYx8NeqswpGK39rL4c61rXTtgNaUU
HaFYyeAB5gPlWVnzOclPIciG7wnorCVLpg/x1IUp/tLfz5WU9w8oAB/H+Ck3W4Th
DsSIYcUHYMgappfdXACjrzUhRY0Cjp1qyIFynQtSSplm5ASW8/cpj7Xt4xovDDYk
QmnKmfZjTNQZcMA+DJ3iJb55Ge497SdJ+Y+Yj8FndOpx6t0h4SHzp6g1gVzEliy+
BE9AoyPl0Rx++IvAD4GQTUnpVEwTL1kDwRKF/CRokI8hRQIDAQABoyMwITAOBgNV
HQ8BAf8EBAMCAKwwDwYDVR0TAQH/BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBALcx
YMaSk1kJAt0vp95YQKPHMty6lJm2nd+4i/GgDNjd6NODkfjoOPACip/nc+zEe5uZ
EGMtYBfNUN0Aztr6My398kDXRCuJo7TTpspJOn8dUGeblOEcKTNTBPnMG3bTYDOk
wuTQqsXk6dBk9DlYAPrKHoPInAd49qFQCxw+4SmKCcpLu5RbXhrxE1IVQ/5nCMul
D1xQXqoQHz/KQUh5svPU95Vb7iL5IiyfwVougpuNojL3st9c3U+4T37xx94zc9uM
NsBAt3EeW39m6bFnpLuflYZTBd7diU+ejTtO8CXuj/MqwnoNeuE7nHKqNiKkxye3
Yn+y06C/qenbEqs1eDo=
-----END CERTIFICATE-----
+ openssl s_client -showcerts -connect 127.0.0.1 -CAfile /home/docker/.docker/ca.pem -key /home/docker/.docker/key.pem
no port defined
usage: s_client args

 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -verify_host host - check peer certificate matches "host"
 -verify_email email - check peer certificate matches "email"
 -verify_ip ipaddr - check peer certificate matches "ipaddr"
 -verify arg   - turn on peer certificate verification
 -verify_return_error - return verification errors
 -cert arg     - certificate file to use, PEM format assumed
 -certform arg - certificate format (PEM or DER) PEM default
 -key arg      - Private key file to use, in cert file if
                 not specified but cert file is.
 -keyform arg  - key format (PEM or DER) PEM default
 -pass arg     - private key file pass phrase source
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -no_alt_chains - only ever use the first certificate chain found
 -reconnect    - Drop and re-make the connection with the same Session-ID
 -pause        - sleep(1) after each read(2) and write(2) system call
 -prexit       - print session information even on connection failure
 -showcerts    - show all certificates in the chain
 -debug        - extra output
 -msg          - Show protocol messages
 -nbio_test    - more ssl protocol testing
 -state        - print the 'ssl' states
 -nbio         - Run with non-blocking IO
 -crlf         - convert LF from terminal into CRLF
 -quiet        - no s_client output
 -ign_eof      - ignore input eof (default when -quiet)
 -no_ign_eof   - don't ignore input eof
 -psk_identity arg - PSK identity
 -psk arg      - PSK in hex (without 0x)
 -srpuser user     - SRP authentification for 'user'
 -srppass arg      - password for 'user'
 -srp_lateuser     - SRP username into second ClientHello message
 -srp_moregroups   - Tolerate other than the known g N values.
 -srp_strength int - minimal length in bits for N (default 1024).
 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1
 -dtls1        - just use DTLSv1
 -fallback_scsv - send TLS_FALLBACK_SCSV
 -mtu          - set the link layer MTU
 -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
 -bugs         - Switch on all SSL implementation bug workarounds
 -serverpref   - Use server's cipher preferences (only SSLv2)
 -cipher       - preferred cipher to use, use the 'openssl ciphers'
                 command to see what is available
 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.
 -engine id    - Initialise and use the specified engine
 -rand file:file:...
 -sess_out arg - file to write SSL session to
 -sess_in arg  - file to read SSL session from
 -servername host  - Set TLS extension servername in ClientHello
 -tlsextdebug      - hex dump of all TLS extensions received
 -status           - request certificate status from server
 -no_ticket        - disable use of RFC4507bis session tickets
 -serverinfo types - send empty ClientHello extensions (comma-separated numbers)
 -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
 -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)
 -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
 -use_srtp profiles - Offer SRTP key management with a colon-separated profile list
 -keymatexport label   - Export keying material using label
 -keymatexportlen len  - Export len bytes of keying material (default 20)

Mungkin ada sesuatu yang saya lewatkan? Namun saya mencoba untuk menjalankan semuanya seperti yang Anda gambarkan ...

Mungkin ada sesuatu yang saya lewatkan? Namun saya mencoba untuk menjalankan semuanya seperti yang Anda gambarkan ...

Maaf, saya tidak bermaksud tidak jelas. Tidak perlu menelusuri daftar langkah saya lagi. docker ps tampaknya berfungsi tanpa kesalahan SSL, benar? Coba docker-compose ps . Jika saya tidak salah, versi patch saya dari docker-machine baru saja menyelesaikan masalah asli Anda. Bisakah Anda memverifikasi?

Selain itu, dapatkah Anda memverifikasi versi docker-machine lagi? (Yang Anda gunakan sebelum versi tambalan.)

Terakhir, apakah Anda pernah mencoba mereproduksi kesalahan Anda dengan memulai dengan mesin baru yang dibuat dengan docker-machine 0.4.0 atau 0.4.1?

@PavelPolyakov , saya minta maaf karena telah melewatkan ini sebelumnya, tetapi pada https://github.com/docker/machine/issues/1880#issuecomment -143314311 Anda, jika teori saya benar, Anda seharusnya dapat melanjutkan tanpa mengalami kesalahan SSL: CERTIFICATE_VERIFY_FAILED . Subjek / penerbit sertifikat yang dibuat docker-machine berasal dari:

 0 s:/O=PavelPolyakov
   i:/O=PavelPolyakov

Untuk:

 0 s:/O=default
   i:/O=PavelPolyakov

Saya tidak tahu kapan atau mengapa itu terjadi, tetapi apakah Anda melakukan hal berikut pada tuan rumah Anda pada saat itu, semuanya seharusnya berhasil:

% eval $( docker-machine env default )
% docker ps
...
% docker-compose ps
...

Mungkin inilah alasan mengapa https://github.com/docker/machine/issues/1880#issuecomment -142557209 @rkit bekerja untuknya.

Saya khawatir bahwa mungkin Anda memiliki artefak dari lingkungan mesin buruh pelabuhan atau kejadian yang membuat Anda frustrasi? Saat saya mencoba membuat instance baru menggunakan docker-machine 0.4.1, sertifikat saya cocok dengan pola s:/O=[machine name] dan i:/O=[user name] , bukan pola s:/O=[user name] dan i:/O=[user name] pola yang mungkin memberi Anda masalah.

Sekali lagi, saya minta maaf karena tidak mengetahui ini sebelumnya, tetapi ini mungkin seharusnya telah memperbaikinya untuk Anda. Bisakah kamu mengkonfirmasi?

Baik,

Tidak :( Saya sudah mencobanya sebelumnya.

Bila saya lakukan:

[~/tmp/microservices-workshop/msworkshop/step4]$ eval $( ~/Desktop/docker-machine_darwin-amd64 env fubar )
[~/tmp/microservices-workshop/msworkshop/step4]$ docker ps                                         *[master]
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose build                              *[master]
Building frontend...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ ~/Desktop/docker-machine_darwin-amd64 --version   *[master]
docker-machine_darwin-amd64 version 0.5.0-dev (c4cd238)

Saya memiliki docker ps yang berfungsi, tetapi saya telah bekerja sebelumnya juga (saat menggunakan aliran default dari toolbox docker dari situs web).

Argh. : confounded: Oke, kalau begitu saya kehabisan ide. Coba simpan berikut ini sebagai compose-debug.py :

import logging
import re
import sys

from compose.cli.main import main

if __name__ == '__main__':
    logging.basicConfig(format='%(levelname)-8s: %(message)s')
    logging.getLogger().setLevel(logging.DEBUG)
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
    sys.exit(main())

Kemudian lakukan:

python compose-debug.py --verbose build

Inilah kami:

[~/tmp/microservices-workshop/msworkshop/step4]$ python compose-debug.py --verbose build           *[master]
Traceback (most recent call last):
  File "compose-debug.py", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/compose/cli/main.py", line 39, in main
    command.sys_dispatch()
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 21, in sys_dispatch
    self.dispatch(sys.argv[1:], None)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 27, in dispatch
    super(Command, self).dispatch(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 24, in dispatch
    self.perform_command(*self.parse(argv, global_options))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 57, in perform_command
    verbose=options.get('--verbose'))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 79, in get_project
    self.get_client(verbose=verbose))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 64, in get_client
    version_info = six.iteritems(client.version())
  File "/usr/local/lib/python2.7/site-packages/docker/client.py", line 837, in version
    return self._result(self._get(url), json=True)
  File "/usr/local/lib/python2.7/site-packages/docker/clientbase.py", line 86, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
    return self.request('GET', url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request
    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout
    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6
TypeError: __str__ returned non-string (type Error)
[~/tmp/microservices-workshop/msworkshop/step4]$ python --version                                  *[master]
Python 2.7.10

@PavelPolyakov , mohon maaf jika tidak jelas, tetapi apakah Anda memastikan instance docker-machine berjalan sebelum Anda mencoba perintah di atas?

Selain itu, saat memposting keluaran debug dengan pelacakan tumpukan, akan sangat membantu jika Anda dapat menggabungkannya dalam tag "" untuk mempertahankan pemformatan.

ya, mesin sudah habis, saya bisa melakukannya (jika ini buktinya).

docker-machine ssh default

Berikut adalah varian lainnya (ketika saya melewatkan --verbose outputnya sedikit berbeda):

[~/tmp/microservices-workshop/msworkshop/step4]$ python compose-debug.py build                     *[master]
INFO    : Building frontend...
Building frontend...
Traceback (most recent call last):
  File "compose-debug.py", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/compose/cli/main.py", line 39, in main
    command.sys_dispatch()
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 21, in sys_dispatch
    self.dispatch(sys.argv[1:], None)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 27, in dispatch
    super(Command, self).dispatch(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 24, in dispatch
    self.perform_command(*self.parse(argv, global_options))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 59, in perform_command
    handler(project, command_options)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/main.py", line 135, in build
    project.build(service_names=options['SERVICE'], no_cache=no_cache)
  File "/usr/local/lib/python2.7/site-packages/compose/project.py", line 233, in build
    service.build(no_cache)
  File "/usr/local/lib/python2.7/site-packages/compose/service.py", line 710, in build
    dockerfile=self.options.get('dockerfile', None),
  File "/usr/local/lib/python2.7/site-packages/docker/client.py", line 158, in build
    timeout=timeout,
  File "/usr/local/lib/python2.7/site-packages/docker/clientbase.py", line 83, in _post
    return self.post(url, **self._set_request_timeout(kwargs))
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 508, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request
    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout
    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6
TypeError: __str__ returned non-string (type Error)

Tentu saja saya menggunakan format, terakhir kali itu salah ketik `` - dan saya memulai baris yang sama, maaf.

@posita

Saya tahu Anda lelah mencoba menyelesaikan ini, begitu juga saya :) Saya tidak tahu mengapa penyiapan saya saat ini dikutuk. Mungkin memang itu sesuatu tentang instalasi OS saya dan cara perangkat lunak lain diinstal di sini (brew). Sayang sekali - menghabiskan begitu banyak waktu Anda untuk mencoba menyelesaikan masalah, yang hanya muncul di komputer saya.
Rencana jangka panjang saya selanjutnya - coba instal OSX baru, ketika sudah keluar, atau instal bahkan instal OSX dari awal dan berharap aliran default akan berfungsi.

Pelacakan tumpukan terlihat aneh bagi saya (tidak terlihat seperti kesalahan SSL). Apa yang Anda dapatkan untuk docker-compose --verbose build ?

[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose  build                             *[master]
Building frontend...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose build                    *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Apa yang Anda dapatkan dengan docker-compose --verbose ps dan python compose-debug.py --verbose ps ? Inilah yang saya dapatkan:

% docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
% docker-compose --verbose ps
Compose version 1.4.1
Docker base_url: https://www.xxx.yyy.zzz:2376
Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
docker containers <- (all=True, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=False']})
docker containers -> (list with 0 items)
docker containers <- (all=True)
docker containers -> (list with 0 items)
docker containers <- (all=False, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=True']})
docker containers -> (list with 0 items)
docker containers <- (all=True)
docker containers -> (list with 0 items)
Name   Command   State   Ports
------------------------------
% python compose-debug.py --verbose ps
DEBUG   : Trying /.../.docker/config.json
DEBUG   : File doesn't exist
DEBUG   : Trying /.../.dockercfg
DEBUG   : Attempting to parse as JSON
DEBUG   : ...
INFO    : Compose version 1.4.1
Compose version 1.4.1
INFO    : Docker base_url: https://www.xxx.yyy.zzz:2376
Docker base_url: https://www.xxx.yyy.zzz:2376
INFO    : Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
INFO    : docker containers <- (all=True, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=False']})
docker containers <- (all=True, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=False']})
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
INFO    : docker containers <- (all=True)
docker containers <- (all=True)
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
INFO    : docker containers <- (all=False, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=True']})
docker containers <- (all=False, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=True']})
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
INFO    : docker containers <- (all=True)
docker containers <- (all=True)
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
Name   Command   State   Ports
------------------------------

@posita
Itulah yang saya miliki:

[~/tmp/microservices-workshop/msworkshop/step4]$ docker ps                                         *[master]
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[~/tmp/microservices-workshop/msworkshop/step4]$ docker --verbose ps                               *[master]
flag provided but not defined: --verbose
See 'docker --help'.
[~/tmp/microservices-workshop/msworkshop/step4]$ python compose-debug.py --verbose ps              *[master]
Traceback (most recent call last):
  File "compose-debug.py", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/compose/cli/main.py", line 39, in main
    command.sys_dispatch()
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 21, in sys_dispatch
    self.dispatch(sys.argv[1:], None)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 27, in dispatch
    super(Command, self).dispatch(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 24, in dispatch
    self.perform_command(*self.parse(argv, global_options))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 57, in perform_command
    verbose=options.get('--verbose'))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 79, in get_project
    self.get_client(verbose=verbose))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 64, in get_client
    version_info = six.iteritems(client.version())
  File "/usr/local/lib/python2.7/site-packages/docker/client.py", line 837, in version
    return self._result(self._get(url), json=True)
  File "/usr/local/lib/python2.7/site-packages/docker/clientbase.py", line 86, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
    return self.request('GET', url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request
    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout
    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6
TypeError: __str__ returned non-string (type Error)
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose ps                       *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ python -V                                         *[master]
Python 2.7.10

Apakah menurut Anda ini masalah python saya?
Versi mana yang kamu punya

Saya juga menemukan masalah ini:
https://github.com/kennethreitz/requests/issues/2524

Mengenai perpustakaan https dan ulr yang digunakan python, saya tidak tahu apakah docker-compose menggunakan lib yang sama.

@PavelPolyakov , coba docker-compose --verbose ps , bukan docker --verbose ps .

Saya ragu itu adalah versi Python. Saya menjalankan 2.7.10 juga. Bisa jadi docker-py ? Coba python -c 'import docker ; print(docker.version)' .

Versi OpenSSL apa yang Anda miliki?

which openssl
openssl version
which python
python -c 'import ssl ; print(ssl.__file__) ; print(ssl.OPENSSL_VERSION)'

Inilah kami:

[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose ps                       *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import docker ; print(docker.version)' *[master]
1.3.1
[~/tmp/microservices-workshop/msworkshop/step4]$ which openssl                                     *[master]
/usr/local/bin/openssl
[~/tmp/microservices-workshop/msworkshop/step4]$ openssl version                                   *[master]
OpenSSL 1.0.2d 9 Jul 2015
[~/tmp/microservices-workshop/msworkshop/step4]$ which python                                      *[master]
/usr/local/bin/python
[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import ssl ; print(ssl.__file__) ; print(ssl.OPENSSL_VERSION)'
/usr/local/Cellar/python/2.7.10_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc
OpenSSL 1.0.2d 9 Jul 2015

Bagaimana docker-py diinstal pada mesin Anda? Bagaimana Anda meningkatkan (jika Anda meningkatkan) docker-compose ke versi terbaru?

Saat ini semua penginstalan dilakukan dari sini: https://www.docker.com/toolbox .
Saya belum memperbarui docker-compose .

Saya telah mencoba instalasi yang berbeda juga - dari brew (hasil yang sama, kesalahan SSL), tetapi yang kami coba adalah dari toolbox pkg.

Oke, versi Anda tidak jauh berbeda dari versi saya, kecuali untuk docker-py (Saya tidak tahu tentang requests ):

% docker version --format='{{.Client.Version}}'
1.8.2
% docker-machine --version
docker-machine version 0.4.1 (e2c88d6)
% docker-compose --version
docker-compose version: 1.4.1
% openssl version
OpenSSL 1.0.2d 9 Jul 2015
% python -c 'import ssl ; print(ssl.OPENSSL_VERSION)' # just to make sure it's picking up the same version
OpenSSL 1.0.2d 9 Jul 2015
% python -c 'import docker ; print(docker.version)'
1.4.0
% python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3

Sudahkah Anda mencoba menginstal / menjalankan docker-compose dari lingkungan virtual (yang seharusnya menjadi langkah pertama kami: kecewa :)?

% virtualenv .venv
...
% . ./.venv/bin/activate # don't forget the dot; you're "sourcing" the file
% ./.venv/bin/pip install docker-compose
...
% rehash # necessary on some shells like zsh
% which docker-compose
.../.venv/bin/docker-compose
% docker-compose --version
docker-compose version: 1.4.2
% python -c 'import docker ; print(docker.version)'
1.4.0
% python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.7.0
1.10.4
% docker-compose --verbose ps
...?
% python compose-debug.py --verbose ps
...?
% docker-compose build
...?

Sama:

[~/tmp/microservices-workshop/msworkshop/step4]$ virtualenv .venv                                  *[master]
New python executable in .venv/bin/python
Installing setuptools, pip, wheel...done.
[~/tmp/microservices-workshop/msworkshop/step4]$ . ./.venv/bin/activate                            *[master]
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ ./.venv/bin/pip install docker-compose     *[master]
Collecting docker-compose
  Downloading docker-compose-1.4.2.tar.gz (82kB)
    100% |████████████████████████████████| 86kB 2.2MB/s
Collecting docopt<0.7,>=0.6.1 (from docker-compose)
  Downloading docopt-0.6.2.tar.gz
Collecting PyYAML<4,>=3.10 (from docker-compose)
  Downloading PyYAML-3.11.tar.gz (248kB)
    100% |████████████████████████████████| 249kB 1.4MB/s
Collecting requests<2.7,>=2.6.1 (from docker-compose)
  Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
    100% |████████████████████████████████| 471kB 839kB/s
Collecting texttable<0.9,>=0.8.1 (from docker-compose)
  Downloading texttable-0.8.3.tar.gz
Collecting websocket-client<1.0,>=0.32.0 (from docker-compose)
  Downloading websocket_client-0.32.0.tar.gz (192kB)
    100% |████████████████████████████████| 192kB 1.0MB/s
Collecting docker-py<1.4,>=1.3.1 (from docker-compose)
  Downloading docker-py-1.3.1.tar.gz (49kB)
    100% |████████████████████████████████| 53kB 3.7MB/s
Collecting dockerpty<0.4,>=0.3.4 (from docker-compose)
  Downloading dockerpty-0.3.4.tar.gz
Collecting six<2,>=1.3.0 (from docker-compose)
  Downloading six-1.9.0-py2.py3-none-any.whl
Building wheels for collected packages: docker-compose, docopt, PyYAML, texttable, websocket-client, docker-py, dockerpty
  Running setup.py bdist_wheel for docker-compose
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/85/15/68/da301b79c711f2eb9a2065f44f16dcef736862e9c334bf87c4
  Running setup.py bdist_wheel for docopt
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/0d/5c/a7/cb986749520c1950217b5d8405def5c18541322dbc411a80d1
  Running setup.py bdist_wheel for PyYAML
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/fa/db/f6/dee55793d344f1706dc4a5a693298f0115241d1085cc212364
  Running setup.py bdist_wheel for texttable
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/d6/44/0b/20a20bc6ab19b4a7f4a43fa67010cf5008140d8abab61d58d5
  Running setup.py bdist_wheel for websocket-client
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/48/45/ba/e955834950f99f1ca7a5778808d7bef1d4962edb1a4b14600a
  Running setup.py bdist_wheel for docker-py
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/18/b4/cb/62ce0b04a3055cf5d599f3cfd01213d8488e9b367fb9cfb238
  Running setup.py bdist_wheel for dockerpty
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/52/29/66/0c53de7d30b0e2a838ba252f6db929e9cc3d528892e7d759d5
Successfully built docker-compose docopt PyYAML texttable websocket-client docker-py dockerpty
Installing collected packages: docopt, PyYAML, requests, texttable, six, websocket-client, docker-py, dockerpty, docker-compose
Successfully installed PyYAML-3.11 docker-compose-1.4.2 docker-py-1.3.1 dockerpty-0.3.4 docopt-0.6.2 requests-2.6.2 six-1.9.0 texttable-0.8.3 websocket-client-0.32.0
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ rehash                                     *[master]
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ which docker-compose                       *[master]
/Users/PavelPolyakov/tmp/microservices-workshop/msworkshop/step4/.venv/bin/docker-compose
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --version                   *[master]
docker-compose version: 1.4.2
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import docker ; print(docker.version)'
1.3.1
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose ps                *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ python compose-debug.py --verbose ps       *[master]
ERROR   : SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose build                       *[master]
Building frontend...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Untuk beberapa alasan, Anda memiliki semua versi yang lebih tinggi dari versi saya (jika saya mengerti benar):

1. buruh pelabuhan
2. permintaan
3. urlib3

Mengapa? dan mungkinkah itu memiliki efek dramatis?

Untuk beberapa alasan, Anda memiliki semua versi yang lebih tinggi dari versi saya (jika saya mengerti benar): ... mengapa?

Saya tidak yakin. Coba deactivate -ing virtualenv Anda, hapus, dan buat ulang, tetapi dengan ./.venv/bin/pip install --no-cache-dir docker-compose sebagai gantinya (perhatikan penambahan --no-cache-dir ).

... dan mungkinkah itu memiliki efek dramatis?

Ternyata iya. Anda setidaknya mendapatkan kesalahan samar yang sama untuk python compose-debug.py --verbose ps sebagai docker-compose --verbose ps (bukan stacktrace yang Anda dapatkan sebelumnya). Jadi, tuliskan hingga requests , kurasa.

FYI, inilah yang saya dapatkan dari virtualenv saya (dan direktori ~/.docker/machine ):

% deactivate
% rm -frv ./.venv
...
% for i in $( docker-machine ls --quiet ) ; do docker-machine stop "${i}" ; done
...
% docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL   SWARM
% mv -v ~/.docker/machine ~/.docker/machine.bak
/.../.docker/machine -> /.../.docker/machine.bak
% docker-machine create --driver virtualbox testes
Creating VirtualBox VM...
Creating SSH key...
Starting VirtualBox VM...
Starting VM...
To see how to connect Docker to this machine, run: docker-machine env testes
docker-machine create --driver virtualbox testes  8.12s user 6.22s system 13% cpu 1:47.48 total
% docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL                         SWARM
testes            virtualbox   Running   tcp://192.168.99.100:2376
% eval $( docker-machine env testes )
% docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
% virtualenv .venv
...
% . ./.venv/bin/activate
% ./.venv/bin/pip install --no-cache-dir docker-compose
...
% rehash
% cat Dockerfile
FROM debian:stable
% cat docker-compose.yml
deb1:
    build: .

deb2:
    image: debian:stable
    links:
        - deb1
% docker-compose ps
Name   Command   State   Ports
------------------------------
% docker-compose --verbose build
Compose version 1.4.2
Docker base_url: https://192.168.99.100:2376
Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
Building deb1...
docker build <- (pull=False, stream=True, nocache=False, tag=u'test_deb1', rm=True, path='/...', dockerfile=None)
docker build -> <generator object _stream_helper at 0x10f29b5f0>
Step 0 : FROM debian:stable
stable: Pulling from library/debian
401015d2a1e5: Pull complete
315baabd82d5: Pull complete
library/debian:stable: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:2ee35f51e54da93075fe46631a28d84ef4e23eb4ca51e7a8ef9f9ba625e7f6be
Status: Downloaded newer image for debian:stable
 ---> 315baabd82d5
Successfully built 315baabd82d5
docker close <- ()
docker close -> None
deb2 uses an image, skipping

Tidak :(

... steps above were done as well ...
[~/tmp/docker-compose-fixing]$ for i in $( docker-machine ls --quiet ) ; do docker-machine stop "${i}" ; done
[~/tmp/docker-compose-fixing]$ docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL   SWARM
testes            virtualbox   Stopped
[~/tmp/docker-compose-fixing]$ mv -v ~/.docker/machine ~/.docker/machine.bak
/Users/PavelPolyakov/.docker/machine -> /Users/PavelPolyakov/.docker/machine.bak/machine
[~/tmp/docker-compose-fixing]$ docker-machine create --driver virtualbox testes
Creating CA: /Users/PavelPolyakov/.docker/machine/certs/ca.pem
Creating client certificate: /Users/PavelPolyakov/.docker/machine/certs/cert.pem
Image cache does not exist, creating it at /Users/PavelPolyakov/.docker/machine/cache...
No default boot2docker iso found locally, downloading the latest release...
Downloading https://github.com/boot2docker/boot2docker/releases/download/v1.8.2/boot2docker.iso to /Users/PavelPolyakov/.docker/machine/cache/boot2docker.iso...
Creating VirtualBox VM...
Creating SSH key...
Error creating machine: exit status 1
You will want to check the provider to make sure the machine and associated resources were properly removed.
[~/tmp/docker-compose-fixing]$ docker-machine create --driver virtualbox testes
Creating CA: /Users/PavelPolyakov/.docker/machine/certs/ca.pem
Creating client certificate: /Users/PavelPolyakov/.docker/machine/certs/cert.pem
Image cache does not exist, creating it at /Users/PavelPolyakov/.docker/machine/cache...
No default boot2docker iso found locally, downloading the latest release...
Downloading https://github.com/boot2docker/boot2docker/releases/download/v1.8.2/boot2docker.iso to /Users/PavelPolyakov/.docker/machine/cache/boot2docker.iso...
Creating VirtualBox VM...
Creating SSH key...
Starting VirtualBox VM...
Starting VM...
To see how to connect Docker to this machine, run: docker-machine env testes
[~/tmp/docker-compose-fixing]$ docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL                         SWARM
testes            virtualbox   Running   tcp://192.168.99.109:2376
[~/tmp/docker-compose-fixing]$ eval $( docker-machine env testes )
[~/tmp/docker-compose-fixing]$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[~/tmp/docker-compose-fixing]$ virtualenv .venv
New python executable in .venv/bin/python
Installing setuptools, pip, wheel...done.
[~/tmp/docker-compose-fixing]$ . ./.venv/bin/activate
(.venv)[~/tmp/docker-compose-fixing]$ ./.venv/bin/pip install --no-cache-dir docker-compose
Collecting docker-compose
  Downloading docker-compose-1.4.2.tar.gz (82kB)
    100% |████████████████████████████████| 86kB 16.0MB/s
Collecting docopt<0.7,>=0.6.1 (from docker-compose)
  Downloading docopt-0.6.2.tar.gz
Collecting PyYAML<4,>=3.10 (from docker-compose)
  Downloading PyYAML-3.11.tar.gz (248kB)
    100% |████████████████████████████████| 249kB 2.7MB/s
Collecting requests<2.7,>=2.6.1 (from docker-compose)
  Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
    100% |████████████████████████████████| 471kB 15.5MB/s
Collecting texttable<0.9,>=0.8.1 (from docker-compose)
  Downloading texttable-0.8.3.tar.gz
Collecting websocket-client<1.0,>=0.32.0 (from docker-compose)
  Downloading websocket_client-0.32.0.tar.gz (192kB)
    100% |████████████████████████████████| 192kB 20.1MB/s
Collecting docker-py<1.4,>=1.3.1 (from docker-compose)
  Downloading docker-py-1.3.1.tar.gz (49kB)
    100% |████████████████████████████████| 53kB 10.5MB/s
Collecting dockerpty<0.4,>=0.3.4 (from docker-compose)
  Downloading dockerpty-0.3.4.tar.gz
Collecting six<2,>=1.3.0 (from docker-compose)
  Downloading six-1.9.0-py2.py3-none-any.whl
Installing collected packages: docopt, PyYAML, requests, texttable, six, websocket-client, docker-py, dockerpty, docker-compose
  Running setup.py install for docopt
  Running setup.py install for PyYAML
  Running setup.py install for texttable
  Running setup.py install for websocket-client
  Running setup.py install for docker-py
  Running setup.py install for dockerpty
  Running setup.py install for docker-compose
Successfully installed PyYAML-3.11 docker-compose-1.4.2 docker-py-1.3.1 dockerpty-0.3.4 docopt-0.6.2 requests-2.6.2 six-1.9.0 texttable-0.8.3 websocket-client-0.32.0
(.venv)[~/tmp/docker-compose-fixing]$ rehash
(.venv)[~/tmp/docker-compose-fixing]$ cat Dockerfile
FROM debian:stable
(.venv)[~/tmp/docker-compose-fixing]$ cat docker-compose.yml
deb1:
    build: .

deb2:
    image: debian:stable
    links:
        - deb1
(.venv)[~/tmp/docker-compose-fixing]$ docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Namun, versi perpustakaannya sama, pada dasarnya:

(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3
(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import docker ; print(docker.version)'
1.3.1

Namun, versi perpustakaannya sama, pada dasarnya:

(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3
(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import docker ; print(docker.version)'
1.3.1

Ups ... Anda benar. Itu salah saya (saya membuat terminal saya bingung). Saya (secara keliru) menyalin sebagian nomor versi dari terminal tempat saya melakukan sesuatu seperti pip install --upgrade ... ). : lelah: Di lingkungan kerja saya, saya memiliki hal yang sama dengan Anda:

% which python
.../.venv/bin/python
% python -c 'import docker ; print(docker.version)'
1.3.1
% python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3

Apa yang Anda dapatkan untuk ini di lingkungan Anda saat ini?

( set -x ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -tls1 -CAfile "${DOCKER_CERT_PATH}/ca.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null ; echo "exit code: ${?}" ) | awk '$0 ~ /TLS session ticket:/ { ticket = 1; } !ticket || $1 !~ /^[0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f]$/ { print; }'

Juga, dapatkah Anda mencoba ini (dikoreksi)?

% deactivate
% virtualenv -p /usr/bin/python .venv2
...
% ./.venv2/bin/pip install --no-cache-dir docker-compose
% ./.venv2/bin/python -c 'import ssl ; print(ssl.__file__) ; print (ssl.OPENSSL_VERSION)'
...
% ./.venv2/bin/python -c 'import _ssl ; print(_ssl.__file__) ; print (_ssl.OPENSSL_VERSION)' # note the underscore-ssl
...
% ./.venv2/bin/docker-compose ps
...

1:

(.venv)[~/tmp/docker-compose-fixing]$ ( set -x ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -tls1 -CAfile "${DOCKER_CERT_PATH}/ca.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null ; echo "exit code: ${?}" ) | awk '$0 ~ /TLS session ticket:/ { ticket = 1; } !ticket || $1 !~ /^[0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f]$/ { print; }'
+-zsh:111> openssl s_client -showcerts -connect 192.168.99.109:2376 -tls1 -CAfile /Users/PavelPolyakov/.docker/machine/machines/testes/ca.pem -cert /Users/PavelPolyakov/.docker/machine/machines/testes/cert.pem -key /Users/PavelPolyakov/.docker/machine/machines/testes/key.pem
depth=1 O = PavelPolyakov
verify return:1
depth=0 O = testes
verify return:1
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/O=testes
   i:/O=PavelPolyakov
-----BEGIN CERTIFICATE-----
MIIC/zCCAemgAwIBAgIQHxlNz0mEt4afcgoccLhiGzALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNUGF2ZWxQb2x5YWtvdjAeFw0xNTA5MjcxODE2MDBaFw0xODA5MTEx
ODE2MDBaMBExDzANBgNVBAoTBnRlc3RlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOhSHinVHHH9BjwuGyNwMPlvyLQvJHngyUqbRx5L+NaOL6lTGinr
vXG+xosolY8TuTdTd9LZu25ccQMQ3AbwVV0XNklkqxUc1cQma9pZ/9VsmfOlHl+n
HkgFrJIhiV+GpsjbXy/oNiwkuNGIu0/DByPbf7NWVoTKMOUKyJBFQnqWE9VWLXA/
4BVnl/8VOFnCdGCqx8EkJEk0RC4h8No76M0Z/t32w2wj1Cj8BFzO5slGwwcFuOTt
TQNfOyicxg/KUPeeLEr0st9WenBOE90lzozecqeBLLEwUcpFFFdNrC79Gy4W9YEd
f60kNsAxFxlvKLg5svxNJPwBmiA2mam54GkCAwEAAaNQME4wDgYDVR0PAQH/BAQD
AgCoMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
MA8GA1UdEQQIMAaHBMCoY20wCwYJKoZIhvcNAQELA4IBAQCfOH1AxRjw+ZDS04S8
ne+uUwk7KW5Ws2lZELAzedB9Izz/QOUyN89GGSttPrlUP0YOmMbwXOqFyMVuqx7e
WEGcGH1dduCbvP7SELBPYrocvAEQPWLqyA5W7uRiJA9KipRe2r5bVer1bvADt6Ir
UuNpoqYWM5fG+X0LT3PbNCEaxC8Itzb4KnVVCHrE+Me931uvOahLWrcisM6eQEYS
asDytbK9KvKM86TVEkyWFEAzTc4VWCLeK3JTy6Tfi+86Yqvk0TTaoh1X6hjKnfWY
5xT7SOL6DsNBZHDAUG0W/2FDR8EYfOmKoDW4PH5F7Qyamd0fcgMBrwZ/uMqhXHAd
vIsF
-----END CERTIFICATE-----
---
Server certificate
subject=/O=testes
issuer=/O=PavelPolyakov
---
Acceptable client certificate CA names
/O=PavelPolyakov
Client Certificate Types: RSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2165 bytes and written 1378 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 9329F3198FC79ACBDF2CAB18200C02B19F9AFD84AF4462C7044878A6A16BF257
    Session-ID-ctx:
    Master-Key: 52FFF668D11FCE75BADCA40CAFB7F016B888E975D87E2010EAC9ADE5CC0EEB5B562074D822D7306991E149BC2DCA83E6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:

    Start Time: 1443381037
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
+-zsh:111> echo 'exit code: 0'
exit code: 0

dan ke-2:

(.venv)[~/tmp/docker-compose-fixing]$ deactivate
[~/tmp/docker-compose-fixing]$ virtualenv -p /usr/bin/python .venv2
Running virtualenv with interpreter /usr/bin/python2.7
New python executable in .venv2/bin/python
Installing setuptools, pip, wheel...done.
[~/tmp/docker-compose-fixing]$ ./.venv2/bin/pip install --no-cache-dir docker-compose
Collecting docker-compose
  Downloading docker-compose-1.4.2.tar.gz (82kB)
    100% |████████████████████████████████| 86kB 1.9MB/s
Collecting docopt<0.7,>=0.6.1 (from docker-compose)
  Downloading docopt-0.6.2.tar.gz
Collecting PyYAML<4,>=3.10 (from docker-compose)
  Downloading PyYAML-3.11.tar.gz (248kB)
    100% |████████████████████████████████| 249kB 2.6MB/s
Collecting requests<2.7,>=2.6.1 (from docker-compose)
  Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
    100% |████████████████████████████████| 471kB 11.1MB/s
Collecting texttable<0.9,>=0.8.1 (from docker-compose)
  Downloading texttable-0.8.3.tar.gz
Collecting websocket-client<1.0,>=0.32.0 (from docker-compose)
  Downloading websocket_client-0.32.0.tar.gz (192kB)
    100% |████████████████████████████████| 192kB 12.5MB/s
Collecting docker-py<1.4,>=1.3.1 (from docker-compose)
  Downloading docker-py-1.3.1.tar.gz (49kB)
    100% |████████████████████████████████| 53kB 12.5MB/s
Collecting dockerpty<0.4,>=0.3.4 (from docker-compose)
  Downloading dockerpty-0.3.4.tar.gz
Collecting six<2,>=1.3.0 (from docker-compose)
  Downloading six-1.9.0-py2.py3-none-any.whl
Installing collected packages: docopt, PyYAML, requests, texttable, six, websocket-client, docker-py, dockerpty, docker-compose
  Running setup.py install for docopt
  Running setup.py install for PyYAML
  Running setup.py install for texttable
  Running setup.py install for websocket-client
  Running setup.py install for docker-py
  Running setup.py install for dockerpty
  Running setup.py install for docker-compose
Successfully installed PyYAML-3.11 docker-compose-1.4.2 docker-py-1.3.1 dockerpty-0.3.4 docopt-0.6.2 requests-2.6.2 six-1.9.0 texttable-0.8.3 websocket-client-0.32.0
[~/tmp/docker-compose-fixing]$ ./.venv/bin/python -c 'import ssl ; print(ssl.__file__) ; print (ssl.OPENSSL_VERSION)'
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc
OpenSSL 0.9.8zg 14 July 2015
[~/tmp/docker-compose-fixing]$ ./.venv2/bin/python -c 'import _ssl ; print(_ssl.__file__) ; print (_ssl.OPENSSL_VERSION)'
/Users/PavelPolyakov/tmp/docker-compose-fixing/.venv2/lib/python2.7/lib-dynload/_ssl.so
OpenSSL 0.9.8zg 14 July 2015
[~/tmp/docker-compose-fixing]$ ./.venv2/bin/docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Oke, saya resmi kehabisan ide. Saya tidak bisa seumur hidup saya mengerti mengapa openssl s_client dapat bekerja, _and_ docker ps dapat bekerja, tetapi Anda masih mendapatkan kesalahan verifikasi sertifikat SSL dengan docker-compose di dua versi berbeda dari Python dan dua versi OpenSSL yang berbeda. Bisakah Anda melakukan pembuatan Docker langsung (yaitu, docker build . )?

Ya, docker build berfungsi dengan baik:

[~/tmp/docker-compose-fixing]$ docker build -t hhh .
Sending build context to Docker daemon 27.28 MB
Step 0 : FROM debian:stable
 ---> 315baabd82d5
Successfully built 315baabd82d5
[~/tmp/docker-compose-fixing]$ docker run hhh --verbose
Error response from daemon: Cannot start container 4843e6bbbbbdd363356cb5536f82ce8cfada0960ed865242ebfe825ba7eade50: [8] System error: exec: "--verbose": executable file not found in $PATH

Tapi docker-compose build bukan :)

[~/tmp/docker-compose-fixing]$ docker-compose build deb1
Building deb1...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Nevermind :) Terima kasih atas bantuan dan usahanya. Bagaimanapun baik untuk mengetahui bahwa seseorang memiliki docker-compose bekerja di OSX, mungkin, karena beberapa hal saya akan membuatnya berfungsi juga!

Saya rasa salah satu alasannya adalah saya tidak lagi berpikir bahwa masalah Anda adalah dengan docker-machine . : kecewa_relieved:

_Mungkin_ ini menjadi masalah dengan docker-compose , tetapi bukan buruh pelabuhan / penulisan # 890. Karena tampaknya sangat sulit untuk mereproduksi di luar lingkungan Anda, saya curiga Anda perlu melakukan penggalian serius di pihak Anda untuk mendiagnosis ini dengan benar (misalnya, menggunakan pdb , bahkan mungkin dtrace atau wireshark untuk memahami sepenuhnya apa yang sedang terjadi).

Saya berharap saya bisa lebih membantu. :kecewa:

Menutup ini, buka kembali sebagai masalah baru jika Anda dapat memberikan kasus uji yang dapat direproduksi. Terima kasih

@Tokopedia

Satu solusi sangat kotor yang berhasil untuk saya:

Deklarasikan di / etc / hosts, alamat ip docker Anda sebagai localhost seperti
192.168.99.100 localhost

lalu Anda memasukkan DOCKER_HOST localhost alih-alih alamat IP Anda.
ekspor DOCKER_HOST = tcp: // localhost : 2376

Dan akhirnya, di Mac Anda, Anda akan memiliki docker dan docker-compose yang bekerja bersama.

Tapi saya akui, ini benar-benar kotor: d tetapi jika itu bisa membantu untuk sementara waktu, mungkin patut dicoba.

Bagi mereka yang baru mengenal masalah ini, tetapi telah tiba di sini dari luar (misalnya, pencarian web), lihat https://github.com/docker/compose/issues/890#issuecomment -159750418 @pmahoney tentang CURL_CA_BUNDLE variabel lingkungan menjadi kemungkinan penyebabnya. ( @PavelPolyakov , jika Anda dapat memverifikasi bahwa ini adalah penyebab masalah Anda, pertimbangkan untuk memperbarui OP Anda sehingga orang lain tidak perlu membaca seluruh riwayat komit.)

@posita
Selesai, terima kasih atas bantuannya, senang masalah ini teratasi.

Saya mengalami kesalahan yang sama ketika saya menggunakan perintah docker-compose. Saya akhirnya menghapus instalasi docker-machine dan menggunakan boot2docker untuk membangun kembali mv dan masalah terpecahkan.

OS saya adalah El Capitan dan tampaknya mv yang dibuat oleh mesin galangan memiliki beberapa sertifikat yang bentrok dengan sistem saya.

Karena docker-compose berbasis python dan menggunakan paket permintaan python, Anda juga harus membatalkan variabel lingkungan REQUESTS_CA_BUNDLE untuk membuat ini berfungsi:

unset CURL_CA_BUNDLE
unset REQUESTS_CA_BUNDLE
docker-compose up