Bug: (v2.20) Could not add remote Docker host: API with TLS-enabled

[leo9800]

Before you start please confirm the following.

• Yes, I've searched similar issues on GitHub.
• Yes, I've checked whether this issue is covered in the Portainer documentation or knowledge base.

Problem Description

Could not add docker standalone environment via API if TLS is enabled. Probably because incorrect handling of URL.

Expected Behavior

Environment added to Portainer, without any issue.

Actual Behavior

Portainer failed to establish connection to the environment. Emitting the log pasted in Portainer logs or screenshots.

Steps to Reproduce

1. Log into Portainer
2. Go to Environment-related -> Environments
3. Click Add environment
4. Select Docker Standalone and click Start Wizard
5. Select API
6. Enter Name and Docker API URL
7. Toggle TLS on
8. Upload server cert, client cert and client key
9. Click Connect
10. Error pops up at top-right corner

Portainer logs or screenshots

Error during connect: Get "http://address-of-remote-docker-host:9007/_ping": EOF

Portainer version

2.20.1

Portainer Edition

Business Edition (BE/EE) with 5NF / 3NF license

Platform and Version

Docker 26.0.2

OS and Architecture

Arch Linux, AMD64

Browser

Firefox 125.0.2

What command did you use to deploy Portainer?

x-logging:
  &default-logging
  driver: 'journald'
  options:
    tag: '{{.Name}}'

services:
  portainer:
    container_name: portainer
    # 2.20.1 as of writing this bug report
    image: portainer/portainer-ee:alpine-sts
    ports:
      - 127.0.0.10:50900:9000
    environment:
      - VIRTUAL_HOST=hostname-omitted
      - VIRTUAL_PORT=443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
    restart: unless-stopped
    logging: *default-logging

Additional Information

No response

[leo9800]

Dived deeper:

I have just wiresharked on the remote docker environment (which exposed its docker socket at address-of-remote-docker-host:9007 with TLS enabled) and run the Steps to Reproduce again, then I got this:

Please be notice that:

1. It is a HTTP request to a TLS-enabled docker daemon socket, while a TLS handshake is expected in the packet capture.
2. /_ping in the URL of HTTP request is also occured in the Portainer log, indicates this request is send by Portainer.

It seems the problem is, Portainer is talking to a TLS-enabled docker daemon in plaintext HTTP, despite toggling on TLS switch in the new environment wizard.

[leo9800]

Besides, I could confirm that there is no issue with certificates, since I tried connect to address-of-remote-docker-host:9007 on my computer with same certificates and keys:

$ docker --tlsverify --tlscacert /path/to/server.crt --tlscert /path/to/client.crt --tlskey /path/to/client.key -H address-of-remote-docker-host:9007 version
Client:
 Version:           26.0.2
 API version:       1.45
 Go version:        go1.22.2
 Git commit:        3c863ff8d3
 Built:             Fri Apr 19 07:36:40 2024
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          26.0.2
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.22.2
  Git commit:       7cef0d9cd1
  Built:            Fri Apr 19 07:36:40 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.15
  GitCommit:        926c9586fe4a6236699318391cd44976a98e31f1.m
 runc:
  Version:          1.1.12
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[Herr-Sepp]

Duplicate of #11606

[Herr-Sepp]

Was fixed with Release 2.20.2
#11518