X509parsing错误,拉取存储库时出现'负序列号'

我们的服务器通过代理访问互联网。 当我尝试运行一个拉命令如 

sudo docker run -t -i ubuntu:14.04 /bin/bash

我得到下面的错误: 

 Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse certificate from server: x509: negative serial number

wget命令wget -S -d -O - https://get.docker.io生成以下输出:

设置–output-document(outputdocument)为 – 由linux-gnu上的Wget 1.13.4创build的DEBUG输出。

URI encoding = UTF-8' URI encoding = 8'URI UTF-8' URI encoding = UTF-8'–2014-08-27 17:13:46– https://get.docker.io/连接到:…已连接。 创build套接字3.释放0x00000000016829f0(new refcount 0)。 删除未使用的0x00000000016829f0。

—请求开始— CONNECT get.docker.io:443 HTTP / 1.1 User-Agent:Wget / 1.13.4(linux-gnu)代理授权:基本Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ ==

—请求结束—代理响应:HTTP / 1.1 200build立连接date:2014年8月27日(星期三)11:49:52 GMT年龄:0通过:1.0 xaahshshhds

启动SSL握手。 握手成功 连接套接字3到SSL句柄0x00000000016831c0证书:主题:/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io发行人:/ emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany错误:无法validationget.docker.io的证书,由/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use发出/emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use –no-check-certificate'。 closures3 / SSL 0x00000000016831c0

请给我一些关于如何解决这个问题的指导。

编辑:

我现在已经禁用这个IP段的代理,但我仍然得到相同的错误。 命令: wget -S -d -O - https://get.docker.io现在获得下面的输出: 

 Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2014-09-04 11:26:12-- https://get.docker.io/ Resolving get.docker.io (get.docker.io)... 162.242.195.77 Caching get.docker.io => 162.242.195.77 Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected. Created socket 3. Releasing 0x00000000022d8fd0 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0 certificate: subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io issuer: /C=US/O=GeoTrust, Inc./CN=RapidSSL CA X509 certificate successfully verified and matches host get.docker.io ---request begin--- GET / HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: get.docker.io Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 503 Service Unavailable Server: nginx/1.7.1 Date: Thu, 04 Sep 2014 06:03:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache ---response end--- HTTP/1.1 503 Service Unavailable Server: nginx/1.7.1 Date: Thu, 04 Sep 2014 06:03:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache Registered socket 3 for persistent reuse. Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> ] done. 2014-09-04 11:26:13 ERROR 503: Service Unavailable. 

 subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany

它看起来像你公司的代理使用SSL拦截来检查SSLstream量,这意味着你得到了公司的代理CA签署的证书,而不是原始证书。 它也看起来像这个代理CA不被你的系统信任,因此validation失败。

我会build议您联系您的防火墙pipe理员如何处理这个问题。 他们会为SSL检查添加一个例外,或者他们会告诉您需要在系统中将哪些证书导入为受信任的证书。

对于任何使用Go 1.6+编译的Docker,这都应该被修复,请参阅: https : //github.com/golang/go/commit/a0ea93dea5f5741addc8c96b7ed037d0e359e33f 。

Interesting Posts

MYSQL泊坞窗文件

删除离线泊坞窗容器中的文件

将Docker容器连接到桥上

如何解决容器中的docker主机名(/ etc / hosts)

Elastic Beanstalk和Docker启动错误

如何同步在Docker容器上运行的Java应用程序的时间?

如何在Gitlab CI中使用Dockerfile

哪个应用程序容器对Docker容器更好?

docker使用mysql服务器的最佳方式是什么?

工作者节点总是在Kubernetes中显示NotReady状态