Adding (self signed) certificates

marco565 · July 27, 2016, 1:19pm

Thanks to @drewish I customize its script to make it work with my current version of docker-for-mac (1.12.0-rc4-beta20 build:10404).

Go there https://gist.github.com/marco565/42981b77c1cfda83627da4c5a870f178 and download the script
run it like this ./add-custom-certificate.sh /path/directory/script certName

PS: This action will have to be repeated each time docker for mac starts

peterabbott · August 6, 2016, 5:21am

I was able to get this working without the need for a custom script or connecting to VM to restart daemon is to place the cert in the certs.d folder. If only we could automate it during start up like boot2docker had with bootlocal.sh

Each time I get a x509 self signed cert error I am able to do this command, (pointing to a directory of root certs). Where pwd is the directory that contains a folder with some certs. Works a treat and doesn’t require connecting to the VM

docker run -v $(pwd):/data/local -v /etc/docker:/data/docker centos:7 bash -c "mkdir -p /data/docker/certs.d/docker.io;cat /data/local/certs/*.pem > /data/docker/certs.d/docker.io/ca.crt"

gesellix · August 6, 2016, 8:57pm

Thanks to @gesellix, @klippx, @drewish, @marco565, and @peterabbott we now have several convenience methods to get the Docker daemon working with your own certificates:

generate new certificates or use existing ones, then use a container to copy them into the vm: Adding (self signed) certificates - the base image is available on the Docker Hub
modified version using only existing certificates: Adding (self signed) certificates - you’ll need to build the base image
use existing certificates and copy them via shell: Adding (self signed) certificates
the same, but as updated gist: Adding (self signed) certificates
similar to the first ones, but in a more manual way, again by using a container: Adding (self signed) certificates - you can use any base image with a shell

amouat · November 30, 2016, 4:43pm

I wrote a bit about this here: http://container-solutions.com/adding-self-signed-registry-certs-docker-mac/

gesellix · November 30, 2016, 9:49pm

Thanks for the backlink!

Please see https://docs.docker.com/docker-for-mac/faqs/#/how-do-i-add-custom-ca-certificates for an update.

Certificates are read from the Mac Keychain when you’re using a recent version of Docker for Mac. The Mac Keychain can also be accessed on the command line with the security add-certificates command. See https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html for details.

amouat · November 30, 2016, 9:53pm

Yeah, I just found that out (the post is updated, I think I may have deleted the forum link to avoid confusion though). I completely failed to find the official documentation though, so thanks for the link.

mbarr · December 12, 2016, 9:27pm

Is there a solution for using client certs from the Keychain?

safaci2000 · December 13, 2016, 4:09am

IN case anyone is still having an issue with this. I believe this is in the stable version as well, but there’s an option in the gui to ‘insecure registries’. Just add the hostname of your docker registry and it will work flawlessly w/o having to go through the hoops described in this thread.

Unless there’s different use case where you need to install an SSL / TLS certificate, I think this is much easier.

mbarr · December 13, 2016, 5:52am

Ignoring SSL/TLS means that you have no assurances that the hostbyou are talking to is really the one you expect.

If you have custom Root CA’s, you probably have a reason to want to use them and validate the connection.

As for client certificates: it lets us validate that the client side is an authorized node, in a way that would be very hard to attack, and we can actually use that CN for authn as well.

I’m hoping this is possible, or that there are more details around on the way the docker VM gets info about the trusted CA’s, so we can work on a pull request to enable client certa. I really don’t want to have to export them to disk just to use them with docker.

safaci2000 · December 14, 2016, 2:47am

Well, imo if you care that much about security you should just obtain a valid SSL certificate.

Though granted the ignore invalid ssl is not the same as adding your own self signed certificate.

mbarr · December 14, 2016, 4:03am

I’m not worried about using the CA. That part works great.

This is a question about using a client certificate. This question is still relevant no matter the CA that signed the client cert.

I’m looking for internals on how the CA from keychain is implemented, and if if doesn’t transmit the Client cert, then a pointer to the code so we can maybe try to add the feature. We’re happy to help, and do the work…

noderunner · December 16, 2016, 6:24pm

This is what I’m waiting for as well. We are still using the Toolbox version of Docker because we need to install client certificates into the VM in order to access our private registry.

All we really need is a way to mount in a “client.crt” and “client.key” into the xhyve VM in the right place when it starts up. Either that, or some way to tell Docker which certificates/keys in the Mac Keychain it should use for client authentication.

mbarr · January 10, 2017, 6:49pm

I think you might be able to add them to the git DB, but i’m wondering if a new top level question will help find an answer.

noderunner · January 31, 2017, 10:46pm

It looks like there is still no progress on this. We need to be able to do this with Docker for Mac: https://docs.docker.com/engine/security/certificates/

How do we do that?

ginsul · May 2, 2018, 5:58pm

Any news on this front?

heise · October 24, 2019, 8:41am

(repeating Docker Private Registry: x509: certificate signed by unknown authority): You can add the host to “Insecure registries”:

Docker-Desktop Icon -> Preferences -> Daemon
“Insecure registries”, click +
“your-registry.com” einfügen
click “Apply & Restart”