Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Portainer edge agent does not respect custom rootca used by portainer server. And EDGE_INSECURE_POLL does not ignore the cert issue #208

Open
N0K0 opened this issue Aug 30, 2021 · 2 comments
Open

Portainer edge agent does not respect custom rootca used by portainer server. And EDGE_INSECURE_POLL does not ignore the cert issue #208

N0K0 opened this issue Aug 30, 2021 · 2 comments

Comments

@N0K0
Copy link

N0K0 commented Aug 30, 2021
edited
Loading

Hi! I got an wierd issue with the edge agent.

What i can see:

2021/08/30 07:15:41 [ERROR] [internal,edge,stack] [message: an error occured during stack management] [error: Get https://osl-portainer1:9000/api/endpoints/15/edge/stacks/1: x509: certificate signed by unknown authority]
2021/08/30 07:15:41 [ERROR] [internal,edge,poll] [message: an error occured during short poll] [error: Get https://osl-portainer1:9000/api/endpoints/15/edge/stacks/1: x509: certificate signed by unknown authority]

What i expected:

That portainer respects the cert bundle added to /usr/local/share/ca-certificates/
As per this SO post https://stackoverflow.com/questions/40051213/where-is-golang-picking-up-root-cas-from

Or that EDGE_INSECURE_POLL would make us ignore the cert.

#Misc

Docker-compose file:

version: '3.6'

services:
  agent:
    image: portainer_agent:latest
    hostname: portainer_agent
    container_name: portainer_agent
    environment:
      EDGE: '1'
      EDGE_ID: ${EDGE_ID:?}
      EDGE_KEY: ${EDGE_KEY:?}
      CAP_HOST_MANAGEMENT: '1'
      EDGE_INSECURE_POLL: '1'
      LOG_LEVEL: 'debug'
    volumes:
      - /var/lib/docker/volumes:/var/lib/docker/volumes
      - /var/run/docker.sock:/var/run/docker.sock
      - /:/host
      - portainer_data:/data
      
    restart: always
      
volumes:
  portainer_data:

Dockerfile:

ARG image_tag
FROM portainer/agent:${image_tag:-alpine}

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs/

ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ADD ca-certificates.crt /usr/local/share/ca-certificates/

Did not work without the ENV settings either
@huib-portainer
Copy link

Hi, that might actually be solved in one of our preview versions.
Please give it a try by using the images portainerci/agent:kubernetes-edge-stacks and portainerci/portainer:pr5276 and let us know how it's working.
Note that this is a development build and should not be used in a production environment.

@N0K0
Copy link
Author

N0K0 commented Aug 31, 2021
edited
Loading

Hey. Have tried swapping out the portainer server as suggested. Fixed the ports that has changed++, i still get the same issue

Running it with this command to test.

docker run -d -p 443:9443 -p 9433:9433 -p 9000:9443 -p 8000:8000 --name portainer_pr --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /etc/pki/tls/private/:/keys -v /etc/pki/tls/certs/:/certs -v portainer_data:/data portainerci/portainer:pr5276 --ssl --sslcert /certs/wild.crt --sslkey /keys/wild.key

The agent has also been swapped

FROM portainerci/agent:kubernetes-edge-stacks

ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs/

# Can't use curl++ since its a scratch container
ADD ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ADD ca-certificates.crt /usr/local/share/ca-certificates/

Any more logs i should provide for example? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@N0K0 @huib-portainer