{"id":8807,"date":"2022-03-24T12:18:20","date_gmt":"2022-03-24T17:18:20","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8807"},"modified":"2022-03-26T07:33:13","modified_gmt":"2022-03-26T12:33:13","slug":"ssl-connection-failure-from-docker-image","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8807","title":{"rendered":"SSL Connection Failure from Docker Image"},"content":{"rendered":"<p>We have a script that&#8217;s used to securely retrieve passwords &#8230; a script which failed when run from a Docker container.<\/p>\n<p><tt>* could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)<\/tt><\/p>\n<p>Appears root of issue is tied to Debian OS that&#8217;s used in the python:3.7-slim container that&#8217;s being used. Newer iterations of some Linux OS&#8217;s have a default setting in the openssl config that provide a setting for <a href=\"https:\/\/www.openssl.org\/docs\/man1.1.1\/man3\/SSL_CTX_set_security_level.html\">SSL_CTX_set_security_level<\/a> that precludes communication with password server.<\/p>\n<p>Remediating this at the server end is not a reasonable approach, so client config needs to be changed to allow connection to be established. Setting security level to 1 allows connection to proceed, so proposed including additional instruction in Dockerfile that uses sed to update the configuration parameter.<\/p>\n<p><tt>sed -i 's\/DEFAULT@SECLEVEL=2\/DEFAULT@SECLEVEL=1\/' \/etc\/ssl\/openssl.cnf<\/tt><\/p>\n<p>Once that setting was updated, the script worked perfectly as it does on our physical and VM servers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have a script that&#8217;s used to securely retrieve passwords &#8230; a script which failed when run from a Docker container. * could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?) Appears root of issue is tied to Debian OS that&#8217;s &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[632,1429,1188,236],"class_list":["post-8807","post","type-post","status-publish","format-standard","hentry","category-coding","tag-bash","tag-curl","tag-shell","tag-ssl"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8807"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8807\/revisions"}],"predecessor-version":[{"id":8817,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8807\/revisions\/8817"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}