Docker Community Forums

Share and learn in the Docker community.

Is anyone seeing errors/issues when trying to update the CVE security database?


(Patricknw) #1

I’m getting “Alert: There was a server error” messages when attempting to manually update the Security database. It worked yesterday, about 25 hours ago. But not today.

I did a manual “curl -v” from the node, and got the following back:

ubuntu@dtr-replica-0:~$ curl -v https://dss-cve-updates.docker.com:443/
*   Trying 54.192.143.175...
* Connected to dss-cve-updates.docker.com (54.192.143.175) port 443 (#0)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* found 696 certificates in /etc/ssl/certs
* ALPN, offering http/1.1        
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: *.docker.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=*.docker.com
*        start date: Thu, 11 May 2017 00:00:00 GMT
*        expire date: Mon, 11 Jun 2018 12:00:00 GMT
*        issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: dss-cve-updates.docker.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Content-Length: 39
< Connection: keep-alive
< Date: Thu, 31 Aug 2017 21:35:36 GMT
< Last-Modified: Tue, 03 Jan 2017 19:45:22 GMT
< ETag: "39c603972d0723c941a6d42d6b07ad8d"
< Accept-Ranges: bytes
< Server: AmazonS3
< Age: 60
< X-Cache: Error from cloudfront
< Via: 1.1 b20a36f6809f60038027cfc2337597fe.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: cXpv7FhmnDJh4BdaB7dpMN9C7UEHBDH2goqxQy5QXdyo5xVci-d7Vw==
< 
403 Error: Missing key. Test response.
* Connection #0 to host dss-cve-updates.docker.com left intact
ubuntu@dtr-replica-0:~$ 

Is this something wrong on my end, or the remote end? It looks like a remote issue. Wondering if anyone else has seen anything like this? (If not, then it’s on my end, but I’m at a loss as to what it’s choking on.)

I can definitely reach the remote node, and even if my curl statement is wrong, the DTR installation should be able to do what it successfully did yesterday.


(Patrick Devine) #2

Hey Patrick,

The best (official) way to do this is to actually go through the Docker store and download the update w/ the URL that it generates for you. You can do it the way you’re attempting, but it looks like you’re not passing any auth credentials. I’m not sure what those headers are off the top of my head.


(Patricknw) #3

I was not attempting to use the curl to get the actual data, merely to
test that I was not running into a firewall issue, and could connect. I was
trying to use the automated update facility within DTR, and it refused to
play along on the second day, but it worked previously.

Thanks for the feedback. I will keep an eye out for this behavior in the
future. (This was not on it long term is installation, but on a training
lab installation for the classes that I teach. It has already been torn
down, and I will have a new one next week.)


(Sivam123) #4

I’m having the similar issue in Firefox, but surprisingly worked in Chrome…


(Patrick Devine) #5

Are you still running into problems?


(Isaach) #6

Exact same problem here. Using dtr 2.5.0 - manual upload of tar file works, curl can reach the online host via the proxy that is also configured in dtr. But dtr claims to have a server error.


(Isaach) #7

I just resolved this for me - it appears that after I had installed DTR and started the online upgrade, /var/lib/docker was full, since the import of the database lets the postgres database grow substantially (5.5GB in my case). After that I never got online update to work.
I increased storage, still online updates did not work.
Then I reinstalled with enough storage from the beginning, and online updates worked again.