Cannot add registries to Nexus even certificate already put in anchore
IndraWiradinataK opened this issue · 1 comments
Is this a request for help?:
Cannot Add registries to Nexus even certificate already put in anchore, either using CLI or API (from Application).
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable:
Anchore-cli version : 0.9.1
Anchore Engine Version : 1.1.0
What happened:
Registry that need TLS/SSL verification (Value=True) cannot be added into registries list on anchore even certificate for the registry already planted into anchore.
What did you expect to happen:
Registry should be added into anchore even with TLS/SSL verification true because the certification for the registries already planted to anchore.
Any relevant log output from /var/log/anchore:
From event on anchore
Error: cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://nexus.<Corp_Hostname>:50001/,21059309) - exception: HTTPSConnectionPool(host='nexus.<Corp_Hostname>', port=50001): Max retries exceeded with url: /v2/ (Caused by SSLError(SSLError(9, '[X509] PEM lib (_ssl.c:4265)')))
HTTP Code: 406
Detail: {'error_codes': []}
From Log
[service:api] 2022-03-01 07:07:50+0000 [_GenericHTTPChannelProtocol,500932,192.168.15.1] [PoolThread-twisted.internet.reactor-1] [anchore_engine.clients.services.internal/dispatch()] [ERROR] Failed client call to service catalog for url: http://anchore-anchore-engine-catalog:8082/v1/system/registries. Response: {‘httpcode’: 406, ‘anchore_error_raw’: ‘b\’{\n “detail”: {\n “error_codes”: []\n },\n “httpcode”: 406,\n “message”: “cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://nexus.<corp_hostname>:50001/,21059309) - exception: HTTPSConnectionPool(host=\\‘nexus.<corp_hostname>.co.id\\‘, port=50001): Max retries exceeded with url: /v2/ (Caused by SSLError(SSLError(9, \\‘[X509] PEM lib (_ssl.c:4265)\\‘)))“\n}\n\‘’, ‘anchore_error_json’: {‘detail’: {‘error_codes’: []}, ‘httpcode’: 406, ‘message’: “cannot ping supplied registry with supplied credentials - exception: failed check to access registry (https://nexus.<corp_hostname>:50001/,21059309) - exception: HTTPSConnectionPool(host=‘nexus.<corp_hostname>.id’, port=50001): Max retries exceeded with url: /v2/ (Caused by SSLError(SSLError(9, ‘[X509] PEM lib (_ssl.c:4265)’)))“}}
What docker images are you using:
min4tozaki/anchore-engine:1.0.0 (Using filebeat)
Dockerfile for add certificate (Self Signed Certificate)
FROM <IMAGE_ANCHORE_v1>
USER root:root
COPY ./<NEXUS_CERT>.pem /etc/pki/ca-trust/source/anchors/
COPY ./your_cert.cer /usr/local/lib/python3.8/site-packages/certifi/
COPY ./another_cert.cer /usr/local/lib/python3.8/site-packages/certifi/
RUN cat /usr/local/lib/python3.8/site-packages/certifi/*_cert.cer >> /usr/local/lib/python3.8/site-packages/certifi/cacert.pem
RUN update-ca-trust
How to reproduce the issue:
Anchore deployed in Openshift, with custom deployment not using Helm. Nexus can be accessed from pod openshift since it outside Openshift. I assuming that openshift is in intranet. Here deployment files
Anything else we need to know:
When we do image scanning to the destined nexus registry it always successful
We tried to test using
Curl <DNS_NEXUS>
&
Test SSL Python:
$> python3
>>> import urllib.request
>>> print(urllib.request.urlopen('https://<DNS_NEXUS>/').read())
And both resulted success to port default HTTPS but to 50001 it got error code 400 Bad Request
Closed, because it has already solved.