Docker Container Not Picking Up macOS's Internal Root Certificate

edst · February 21, 2018, 3:52am

OS Version/build: macOS High Sierra 10.3.3

App version: Docker for Mac Version 17.12.0-ce-mac49 (21995)

Steps to reproduce:

1. Add the relevant internal root certificate to the System keychain: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/My_Internal_Root_CA_1.pem

2. Have a Dockerfile with the following directives:

FROM jenkins/jenkins:lts
RUN curl -v https://<my domain requiring internal root certificate>.com

3. Run docker build

Results:

Building from the Dockerfile fails with curl: (60) SSL certificate problem: self signed certificate in certificate chain.

From the documentation, it appears that the certificate should be available to the container after adding it to the Mac’s System keychain but that is not working. Additionally, I do not see the certificate in the /etc/ssl/certs/ folder on the container.

dmaze · February 21, 2018, 11:23am

That setting for the Docker daemon only affects connections made by the daemon to pull and push images (if you docker pull requires-internal-root-certificate.com/foo/bar then it will use that certificate). It doesn’t do anything to push certificates into images or containers. You’d have to manually push those into /etc/ssl in your Dockerfile (or do the required network fetches before running docker build).

Topic		Replies	Views
Self signed certificate for docker command-line Docker Desktop	1	6759	July 14, 2016
Dockerfile and ADD from an URL with self-signed ceritificate General	5	2762	April 7, 2016
Where do I store self signed certs Docker Desktop docker , beta	4	4207	June 23, 2016
(Solved) How to add your own self-signed certs to Docker for Mac (no more x509) Docker Desktop beta	1	2793	July 1, 2016
Issues with proxy and self-signed CA certs Docker Desktop	0	1887	May 27, 2016

Docker Container Not Picking Up macOS's Internal Root Certificate

Related topics