Thanks to @drewish I customize its script to make it work with my current version of docker-for-mac (1.12.0-rc4-beta20 build:10404).

Go there https://gist.github.com/marco565/42981b77c1cfda83627da4c5a870f178 and download the script
run it like this ./add-custom-certificate.sh /path/directory/script certName

PS: This action will have to be repeated each time docker for mac starts

I was able to get this working without the need for a custom script or connecting to VM to restart daemon is to place the cert in the certs.d folder. If only we could automate it during start up like boot2docker had with bootlocal.sh

Each time I get a x509 self signed cert error I am able to do this command, (pointing to a directory of root certs). Where pwd is the directory that contains a folder with some certs. Works a treat and doesn’t require connecting to the VM

docker run -v $(pwd):/data/local -v /etc/docker:/data/docker centos:7 bash -c "mkdir -p /data/docker/certs.d/docker.io;cat /data/local/certs/*.pem > /data/docker/certs.d/docker.io/ca.crt"

Thanks to @gesellix, @klippx, @drewish, @marco565, and @peterabbott we now have several convenience methods to get the Docker daemon working with your own certificates:

• generate new certificates or use existing ones, then use a container to copy them into the vm: Adding (self signed) certificates - the base image is available on the Docker Hub
• modified version using only existing certificates: Adding (self signed) certificates - you’ll need to build the base image
• use existing certificates and copy them via shell: Adding (self signed) certificates
• the same, but as updated gist: Adding (self signed) certificates
• similar to the first ones, but in a more manual way, again by using a container: Adding (self signed) certificates - you can use any base image with a shell

I wrote a bit about this here: http://container-solutions.com/adding-self-signed-registry-certs-docker-mac/

Thanks for the backlink!

Please see https://docs.docker.com/docker-for-mac/faqs/#/how-do-i-add-custom-ca-certificates for an update.

Certificates are read from the Mac Keychain when you’re using a recent version of Docker for Mac. The Mac Keychain can also be accessed on the command line with the security add-certificates command. See https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html for details.

Yeah, I just found that out (the post is updated, I think I may have deleted the forum link to avoid confusion though). I completely failed to find the official documentation though, so thanks for the link.

Is there a solution for using client certs from the Keychain?

IN case anyone is still having an issue with this. I believe this is in the stable version as well, but there’s an option in the gui to ‘insecure registries’. Just add the hostname of your docker registry and it will work flawlessly w/o having to go through the hoops described in this thread.

Unless there’s different use case where you need to install an SSL / TLS certificate, I think this is much easier.

Ignoring SSL/TLS means that you have no assurances that the hostbyou are talking to is really the one you expect.

If you have custom Root CA’s, you probably have a reason to want to use them and validate the connection.

As for client certificates: it lets us validate that the client side is an authorized node, in a way that would be very hard to attack, and we can actually use that CN for authn as well.

I’m hoping this is possible, or that there are more details around on the way the docker VM gets info about the trusted CA’s, so we can work on a pull request to enable client certa. I really don’t want to have to export them to disk just to use them with docker.

Well, imo if you care that much about security you should just obtain a valid SSL certificate.

Though granted the ignore invalid ssl is not the same as adding your own self signed certificate.

I’m not worried about using the CA. That part works great.

This is a question about using a client certificate. This question is still relevant no matter the CA that signed the client cert.

I’m looking for internals on how the CA from keychain is implemented, and if if doesn’t transmit the Client cert, then a pointer to the code so we can maybe try to add the feature. We’re happy to help, and do the work…

This is what I’m waiting for as well. We are still using the Toolbox version of Docker because we need to install client certificates into the VM in order to access our private registry.

All we really need is a way to mount in a “client.crt” and “client.key” into the xhyve VM in the right place when it starts up. Either that, or some way to tell Docker which certificates/keys in the Mac Keychain it should use for client authentication.

I think you might be able to add them to the git DB, but i’m wondering if a new top level question will help find an answer.

It looks like there is still no progress on this. We need to be able to do this with Docker for Mac: https://docs.docker.com/engine/security/certificates/

How do we do that?

Any news on this front?

(repeating Docker Private Registry: x509: certificate signed by unknown authority): You can add the host to “Insecure registries”:

1. Docker-Desktop Icon -> Preferences -> Daemon
2. “Insecure registries”, click +
3. “your-registry.com” einfügen
4. click “Apply & Restart”