Docker Community Forums

Share and learn in the Docker community.

Installing custom registry certificates with docker-machine

(Paul Martin) #1

Is there a preferred way of adding custom registry certificates into docker-machines? Certificates have to be placed into /etc/docker/certs.d/<hostname>/ca.crt (as described in Unfortunately /etc/docker is owned by root, so docker-machine scp cannot be used (because it runs as docker).

My current solution is to pipe the contents of the certificate (and a mkdir command) to docker-machine ssh, but it is a bit ugly, and these changes are lost whenever docker-machine restarts.

echo "sudo mkdir -p /etc/docker/certs.d/; \
   echo "\""$(cat ~/certs/my-registry.crt)"\"" | \
   sudo tee -a /etc/docker/certs.d/" \
   | docker-machine ssh my-machine

Is there a better solution / how can I persist these changes? Could something be added as an option to docker-machine create (to be consistent with --engine-insecure-registry) and/or as an additional command?

(Paul Martin) #2

After re-reading the boot2docker docs(!), I can make the certificate survive machine restarts by copying it as a .pem file to /var/lib/boot2docker/certs (though again this is owned by root, so I have to use docker-machine ssh). This works ok, but needs a restart to do the copy (though that could probably be avoided if my initial suggestion of copying the certificate into /etc/docker/certs.d/<hostname>/ca.crt was used as well).

echo "sudo mkdir -p /var/lib/boot2docker/certs; \
   echo "\""$(cat ~/Dev/dockertest/certs/"\"" | \
   sudo tee -a /var/lib/boot2docker/certs/" \
   | docker-machine ssh my-machine
docker-machine restart my-machine

Is there a better way?

(Cdaringe) #3

it’s an old issue, but what did you land on? any improved experience?

it’s slightly confusing because docker-machine on create says:

Provisioning with boot2docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...

but it’s not clear what certs those are. i expected the certs on my host be present in /etc/docker/certs.d/, but as you noted, they are not, and i had to manually create them.