Docker – SSH PEM Config for NodeJS and Scan Commands

Hi

In another series of blogs relating to Docker config for NodeJS, I present the list of command handy and essential for configuring the SSL PEM for the container.

In this blog I would take the current “getting-started” example on docker website and will configure the step in-between to make the entire tutorial work behind you enterprise security in a secure manner.

Docker Tutorial:

https://docs.docker.com/get-started/

Following upon the tutorial on the website when I reach the following step

docker build -t getting-started .

I come across the following error:

(SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:)

And this leads to my first solution in this process, add the following commands in the existing DockerFile in the project and your initial build would be good back again.

Earlier

# syntax=docker/dockerfile:1
FROM node:12-alpine
RUN apk add --no-cache python2 g++ make
WORKDIR /app
COPY . .
RUN yarn install --production
CMD ["node", "src/index.js"]

New (ensure you have copied the “cert” folder containing the “nscacert.pem” and “nstenantcert.pem” in you project folder)

# syntax=docker/dockerfile:1
FROM node:12-alpine

WORKDIR /etc/ssl/certs
COPY cert/nscacert.pem /etc/ssl/certs/nscacert.pem
COPY cert/nstenantcert.pem /etc/ssl/certs/nstenantcert.pem
RUN cat nscacert.pem >> ca-certificates.crt
RUN cat nstenantcert.pem >> ca-certificates.crt

RUN apk add --no-cache python3 g++ make

WORKDIR /app
COPY . .
RUN yarn config set cafile /etc/ssl/certs/ca-certificates.crt
RUN yarn install --production
CMD ["node", "src/index.js"]

And Voila again, you have you first new successful image build.

Now the rest of the steps in the tutorial should be easy to follow, but you would face challenge on another step in the process where the container is scanned by the 3rd party service called as “snyk“.

docker scan getting-started

Now as soon this command is executed after few seconds the following error appeared

And this took me some time to work out what was the internal config of this command to ensure it works seamlessly. And then I worked out that internally “docker scan” command routes to another app which is installed with docker

And finding similarity of the “snyk.exe” app icon similar to NodeJs, and further investigation I worked out that the NodeJS config are applicable to the above application, so to make the “docker scan ” work all we need to is set the environment variables in the server to point to our valid PEM files for ssh validation

Run the command “sysdm.cpl” and set the following variables

NODE_EXTRA_CA_CERTS – C:\ProgramData\netskope\stagent\data\nscacert.pem

NODE_TLS_REJECT_UNAUTHORIZED – 1

And post the above ensure you re-start your terminal/VS code for the new environment variables to be loaded.

And there you go, you should have a successful run as expected.

I hope the above tricks help, in jump starting your Docker journey.

Leave a Reply

Your email address will not be published.

*