Docker Community Forums

Share and learn in the Docker community.

Adding (self signed) certificates

I also found I didn’t need to restart the service… in fact when I’d try to restart it it would never succeed.

I ended up coming up with this bash script to automate the cert installation:

#!/bin/bash

# This assumes the cert is in the same directory as the script
source="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# You'll want to update this to reflect your repo's host and port
destination=/etc/docker/certs.d/example.net:1234

# Send a new line to wake it up, then login as root with a blank password
cat <<HERE > ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

root

HERE

# Give it a second to get logged in, copy the cert and log back out
cat <<HERE > ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty
mkdir -p $destination
cp $source/My_Cert.crt $destination
exit

HERE
2 Likes

Do you mean the restart doesn’t work?

correct, it would never start back up.

This solution worked for me: https://github.com/klippx/inject-docker-certs

2 Likes

Thanks to @drewish I customize its script to make it work with my current version of docker-for-mac (1.12.0-rc4-beta20 build:10404).

Go there https://gist.github.com/marco565/42981b77c1cfda83627da4c5a870f178 and download the script
run it like this ./add-custom-certificate.sh /path/directory/script certName

PS: This action will have to be repeated each time docker for mac starts

I was able to get this working without the need for a custom script or connecting to VM to restart daemon is to place the cert in the certs.d folder. If only we could automate it during start up like boot2docker had with bootlocal.sh

Each time I get a x509 self signed cert error I am able to do this command, (pointing to a directory of root certs). Where pwd is the directory that contains a folder with some certs. Works a treat and doesn’t require connecting to the VM

docker run -v $(pwd):/data/local -v /etc/docker:/data/docker centos:7 bash -c "mkdir -p /data/docker/certs.d/docker.io;cat /data/local/certs/*.pem > /data/docker/certs.d/docker.io/ca.crt"

Thanks to @gesellix, @klippx, @drewish, @marco565, and @peterabbott we now have several convenience methods to get the Docker daemon working with your own certificates:

I wrote a bit about this here: http://container-solutions.com/adding-self-signed-registry-certs-docker-mac/

Thanks for the backlink!

Please see https://docs.docker.com/docker-for-mac/faqs/#/how-do-i-add-custom-ca-certificates for an update.

Certificates are read from the Mac Keychain when you’re using a recent version of Docker for Mac. The Mac Keychain can also be accessed on the command line with the security add-certificates command. See https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html for details.

1 Like

Yeah, I just found that out (the post is updated, I think I may have deleted the forum link to avoid confusion though). I completely failed to find the official documentation though, so thanks for the link.

1 Like

Is there a solution for using client certs from the Keychain?

1 Like

IN case anyone is still having an issue with this. I believe this is in the stable version as well, but there’s an option in the gui to ‘insecure registries’. Just add the hostname of your docker registry and it will work flawlessly w/o having to go through the hoops described in this thread.

Unless there’s different use case where you need to install an SSL / TLS certificate, I think this is much easier.

Ignoring SSL/TLS means that you have no assurances that the hostbyou are talking to is really the one you expect.

If you have custom Root CA’s, you probably have a reason to want to use them and validate the connection.

As for client certificates: it lets us validate that the client side is an authorized node, in a way that would be very hard to attack, and we can actually use that CN for authn as well.

I’m hoping this is possible, or that there are more details around on the way the docker VM gets info about the trusted CA’s, so we can work on a pull request to enable client certa. I really don’t want to have to export them to disk just to use them with docker.

Well, imo if you care that much about security you should just obtain a valid SSL certificate.

Though granted the ignore invalid ssl is not the same as adding your own self signed certificate.

I’m not worried about using the CA. That part works great.

This is a question about using a client certificate. This question is still relevant no matter the CA that signed the client cert.

I’m looking for internals on how the CA from keychain is implemented, and if if doesn’t transmit the Client cert, then a pointer to the code so we can maybe try to add the feature. We’re happy to help, and do the work…

1 Like

This is what I’m waiting for as well. We are still using the Toolbox version of Docker because we need to install client certificates into the VM in order to access our private registry.

All we really need is a way to mount in a “client.crt” and “client.key” into the xhyve VM in the right place when it starts up. Either that, or some way to tell Docker which certificates/keys in the Mac Keychain it should use for client authentication.

I think you might be able to add them to the git DB, but i’m wondering if a new top level question will help find an answer.

It looks like there is still no progress on this. We need to be able to do this with Docker for Mac: https://docs.docker.com/engine/security/certificates/

How do we do that?

Any news on this front?