Docker container can't curl, SSL wrong version number

docker curl proxy

16,261

I've edited my question to contain more info about my original problem, oddly the problem still persists in the toy image. So, if someone ever has this problem again this is what solved for me.

The multi stage Dockerfile. It seems both stages need to have access of the proxy envs.

# This image only builds the go binaries
FROM golang:1.10-alpine as goalpine-image

ARG http_proxy
ARG https_proxy

ENV HTTP_PROXY $http_proxy
ENV HTTPS_PROXY $https_proxy

# Build envs
ENV FULL_PATH /go/src/<project-name>

WORKDIR $FULL_PATH

# Add the source code:

ADD . $FULL_PATH

# Build it:
RUN cd $FULL_PATH \
    && apk update \
    && apk add --no-cache curl \
    && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/<project-name>

# This image holds the binaries from the previous

FROM alpine:3.7

ENV HTTP_PROXY $http_proxy
ENV HTTPS_PROXY $https_proxy

RUN apk update \
    && apk add --no-cache bash curl\
    && mkdir build

ENV WORD_DIR=/build

WORKDIR WORK_DIR

COPY --from=goalpine-image /go/src/<project-name>/bin ./

CMD ["./<project-name>"]

Building:

Make sure to set http_proxy and https_proxy as environment variables, mine are in /etc/profile.

docker build --rm --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy --network host -t <project-name>:multi-stage .

Running:

docker container run --rm --network host <project-name>:multi-stage

16,261

Author by

Aristu

Software Engineer & Curator at the Library of Babel.

Updated on July 26, 2022

Comments

Aristu almost 2 years

I'm developing behind a company proxy, using Linux Mint Sylvia (Docker was installed via the Ubuntu 16.04.3 Xenial source).

$ docker -v
Docker version 17.12.1-ce, build 7390fc6

I've followed these steps to actually download some images via docker pull.

Control Docker with systemd (HTTP/HTTPS proxy)

My http-proxy.conf:

$ cat /etc/systemd/system/docker.service.d/http-proxy.conf 
[Service]
Environment="HTTP_PROXY=http://my_user:my_pass@company_proxy:3128/"
Environment="HTTPS_PROXY=https://my_user:my_pass@company_proxy:3128/"
Environment="NO_PROXY=localhost,127.0.0.0/8"

My /etc/default/docker:

# If you need Docker to use an HTTP proxy, it can also be specified here.
#export http_proxy="http://127.0.0.1:3128/"
export http_proxy="http://my_user:my_pass@company_proxy:3128"
export https_proxy="https://my_user:my_pass@company_proxy:3128"
export HTTP_PROXY="http://my_user:my_pass@company_proxy:3128"
export HTTPS_PROXY="https://my_user:my_pass@company_proxy:3128"

I need to run curl inside a multistage Alpine container, for simplicity purposes I've build this simple image that is similar to what I'm trying to accomplish and has the same error.

FROM alpine:3.7

ENV HTTP_PROXY http://my_user:my_pass@company_proxy:3128
ENV HTTPS_PROXY https://my_user:my_pass@company_proxy:3128

RUN apk add --no-cache curl

CMD ["curl","-v","--tlsv1","https://www.docker.io/"]

Built with

$ docker build --network host --rm -t test/alpine:curl .

Running without --network host.

$ docker run --rm test/alpine:curl                      
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Could not resolve proxy: company_proxy
* Closing connection 0
curl: (5) Could not resolve proxy: company_proxy

Running with --network host.

$ docker run --network host --rm test/alpine:curl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.2.255.0...
* TCP_NODELAY set
* Connected to company_proxy (10.2.255.0) port 3128 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [233 bytes data]
* error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

I'm a beginner with Docker and have tested this image in 2 wifi networks (both without proxy), the containers runned fine. Any hints on what might be causing this SSL error?

Edit: This is my original problem, I have a multi-stage docker image that runs go code to curl something from firebase.

// main.go
package main

import (
    "os/exec"
    "os"
    "log"
)

func main() {
    c := exec.Command("curl","--tlsv1","-kv","-X","PATCH","-d",`{"something" : "something"}`, `https://<firebase-link>`);

    c.Stdout = os.Stdout
    c.Stderr = os.Stderr
    err := c.Run()
    checkerr(err)
}


func checkerr(err error) {
    if err != nil{
        log.Fatal(err.Error())
        panic(err)
    }
}

The original Dockerfile:

# This image only builds the go binaries
FROM golang:1.10-alpine as goalpine-image

ENV HTTP_PROXY http://my_user:my_pass@company_proxy:3128
ENV HTTPS_PROXY https://my_user:my_pass@company_proxy:3128
ENV FULL_PATH /go/src/<project-name>

WORKDIR $FULL_PATH

# Add the source code:

ADD . $FULL_PATH

# Build it:
RUN cd $FULL_PATH \
    && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/<project-name>

# This image holds the binaries from the previous

FROM alpine

RUN apk add --no-cache bash curl\
    && mkdir build

ENV WORD_DIR=/build

WORKDIR WORK_DIR

COPY --from=goalpine-image /go/src/<project-name>/bin ./

CMD ["./<project-name>"]

Aleh over 5 years

Before the first stage you declare ENV HTTPS_PROXY $https_proxy but before second stage it is ENV HTTPS_PROXY $http_proxy. I had a similar issue with proxy supporting HTTPS connections at exactly the same URL as HTTP (i.e. http:// scheme for both HTTP and HTTPS).
Aristu over 5 years

Thanks @Aleh, it's a typo! :)