Docker Community Forums

Share and learn in the Docker community.

Daemon won't stop starting after TLS feature is applied

docker

(Musicaudience) #1

Daemon won’t stop starting when TLS feature configured.

the latest log:

Full output of the diagnostics from “Diagnose & Feedback” in the menu
Docker for Mac: version: 17.12.0-ce-mac55 (18467c0ae7afb7a736e304f991ccc1a61d67a4ab)
macOS: version 10.13.3 (build: 17D102)
logs: /tmp/6DDE7673-1DF0-4B04-8747-C15BDA9B8110/20180305-193424.tar.gz
failure: docker ps failed: (Failure “docker ps: timeout after 10.00s”)
[OK] vpnkit
[OK] vmnetd
[OK] dns
[OK] driver.amd64-linux
[OK] app
[OK] virtualization VT-X
[OK] moby
[OK] system
[OK] moby-syslog
[OK] kubernetes
[OK] env
[OK] virtualization kern.hv_support
[OK] moby-console
[OK] osxfs
[OK] logs
[ERROR] docker-cli
docker ps failed
[OK] disk
Failure: Could not upload diagnostic data to remote server (docker-diagnose exit code is 1)the

daemon configuration
{
“debug” : true,
“tlskey” : “/Users/test_user/.ssh/trauto/server-key.pem”,
“tlscert” : “/Users/test_user/.ssh/trauto/server-cert.pem”,
“experimental” : false,
“tlsverify” : true,
“tlscacert” : “/Users/test_user/.ssh/ca/root/ca-cert.pem”,
“log-level” : “debug”
}

scripts used to generate certs and keys:

  1. gen-ca.sh

#!/bin/bash
rm -f ls ./ | egrep -iv "^gen_ca.sh$"
PASS=mypassword
openssl genrsa -aes256 -passout pass:$PASS -out ca-key.pem 4096
openssl req -passin pass:$PASS -new -x509 -key ca-key.pem -out ca-cert.pem -sha256 -days 7500 -subj "/C=CN/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx/CN=xxxx"
chmod -v 0400 ca-key.pem
chmod -v 0444 ca-cert.pem

  1. gen.sh

#!/bin/bash
rm -f ls ./ | egrep -iv “^gen.sh$”

PASS=mypassword
CAPATH=~/.ssh/ca/root
CAPASS=$PASS

openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server.csr -sha256 -subj “/C=CN/ST=Shanghai/L=Shanghai/O=xxx/OU=xxx/CN=test.com

echo subjectAltName = DNS:www.test.com,DNS:*.test.com,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf

openssl x509 -sha256 -CAcreateserial -passin pass:$CAPASS -req -CA $CAPATH/ca-cert.pem -CAkey $CAPATH/ca-key.pem -in server.csr -out server-cert.pem -days 7500 -extfile extfile.cnf

rm server.csr
rm extfile.cnf
rm .srl

chmod -v 0400 server-key.pem
chmod -v 0444 server-cert.pem

the mapping of “127.0.0.1 => test .com” has already been set in the hosts file. but the daemon status is still “docker starting…” and lasts more than 30 minutes: