Docker Container Not Picking Up macOS's Internal Root Certificate

OS Version/build: macOS High Sierra 10.3.3

App version: Docker for Mac Version 17.12.0-ce-mac49 (21995)

Steps to reproduce:

1. Add the relevant internal root certificate to the System keychain: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/My_Internal_Root_CA_1.pem

2. Have a Dockerfile with the following directives:

FROM jenkins/jenkins:lts
RUN curl -v https://<my domain requiring internal root certificate>.com

3. Run docker build

Results:

Building from the Dockerfile fails with curl: (60) SSL certificate problem: self signed certificate in certificate chain.

From the documentation, it appears that the certificate should be available to the container after adding it to the Mac’s System keychain but that is not working. Additionally, I do not see the certificate in the /etc/ssl/certs/ folder on the container.

That setting for the Docker daemon only affects connections made by the daemon to pull and push images (if you docker pull requires-internal-root-certificate.com/foo/bar then it will use that certificate). It doesn’t do anything to push certificates into images or containers. You’d have to manually push those into /etc/ssl in your Dockerfile (or do the required network fetches before running docker build).