Docker 如何调试TLS/SSL连接

首先我用这些做了三个文件

$ openssl genrsa 2048 > server.key
$ openssl req -new -key server.key > server.csr
$ openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt

然后在本地主机中，我将

server.crt

重命名为

ca.crt

，并将键

/etc/docker/certs.d/docker.mysite.jp\：5000/ca.crt

然后我试着卷曲，但没有成功

$curl https://docker.mysite.jp:5000/v2/ --cacert /etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt

/etc/docker/certs.d/docker.mysite.jp\:5000/ca.crt 
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

好的，我发现tls/ssl有问题

但是，我如何调试从哪里开始

---

这是日志

* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7f89b4800000)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Mar 24 16:55:37 2020 GMT
*  expire date: Feb 29 16:55:37 2120 GMT
* SSL: unable to obtain common name from peer certificate
* Closing connection 0
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

我为crt文件设置了SQDN。然后错误消息被更改

* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7fb4de806c00)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

---

但是，当我重新开始时，

docker-compose-down

&

docker-compose-up

，它修复了

使用

-vvv

选项执行curl以查看所有步骤。你也可以试试

tcpdump

及

钢丝鲨

---

查看包括网络级别4在内的每个网络操作。

“curl:（60）SSL:无法从对等证书获取公用名称”-这说明了证书存在问题，但您没有提供有关证书的足够详细信息-仅提供用于创建的命令行，而不是在各种提示下输入的实际值。具体来说，您在创建CSR/证书时输入了什么作为通用名称，因为这是它抱怨的值。它应该与您使用的URL中的域相匹配；在创建

server.csr

时键入anyting…谢谢我将FQDN放入crt并更改消息<代码>SSL证书问题：自签名证书。一定是进步了，谢谢你的帮助。我的问题解决了。

* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7f89b4800000)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Mar 24 16:55:37 2020 GMT
*  expire date: Feb 29 16:55:37 2120 GMT
* SSL: unable to obtain common name from peer certificate
* Closing connection 0
curl: (60) SSL: unable to obtain common name from peer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x7fb4de806c00)
* Connected to docker.mysite.jp (135.132.179.73) port 5000 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/docker/certs.d/docker.mysite.jp:5000/ca.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.