Private Certificate Authority SSL certs

Expected behavior

Docker repo has a Private CA generated SSL cert which works with Docker on Linux and boot2docker/docker machine on OS X. It should also work with Docker OS X beta if certs are installed correctly. I assume I do not have the root and intermediate certs installed correctly

Actual behavior

certificate signed by unknown authority error

Information

  • the output of:
    • pinata diagnose -u on OSX
    • DockerDebugInfo.ps1 using Powershell on Windows
  • a reproducible case if this is a bug, Dockerfiles FTW
  • page URL if this is a docs issue or the name of a man page
  • host distribution and version ( OSX 10.10.x, OSX 10.11.x, Windows, etc )

Steps to reproduce the behavior

  1. ā€¦
  2. ā€¦
1 Like

I am seeing same problem on Mac ā€“ unable to connect to private docker registry with properly signed SSL certificate.

Boot2docker VM (after appropriate setup) works w/o problems with the registry, same for Linux clients. No such luck with Docker for Mac. Connection with curl goes through but docker-pull does not. Placing root CA certs in /etc/docker/certs.d/ does not bring any improvements.

using system root CA certs

> curl -v https://dockerhub.xyz.com

  • Rebuilt URL to: https-//dockerhub.xyz.com/
  • Trying 10.24.0.106ā€¦
  • Connected to dockerhub.xyz.com (10.24.0.106) port 443 (#0)
  • TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate: dockerhub-vip.xyz.com
  • Server certificate: xyz ca-1
  • Server certificate: xyz root CA

GET / HTTP/1.1
Host: dockerhub.xyz.com
User-Agent: curl/7.43.0
Accept: /

< HTTP/1.1 302 Found
< Server: nginx/1.8.0
< Date: Fri, 29 Apr 2016 00:15:43 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 29
< Connection: keep-alive
< Cache-Control: max-age=0, no-cache
< Location: /login
< Strict-Transport-Security: max-age=31536000
<
Found.

> docker pull dockerhub.xyz.com/me/hello-world
Using default tag: latest
Error response from daemon: Get https-//dockerhub.xyz.com/v1/_ping: x509: certificate signed by unknown authority

after placing root CA certs to /etc/docker/certs.d

> ls -l /etc/docker/certs.d/dockerhub.xyz.com/
total 24
-rw-rā€“r-- 1 root wheel 2842 Apr 28 17:27 xyz ca-1.crt
-rw-rā€“r-- 1 root wheel 1946 Apr 28 17:27 xyz root CA.crt
-rw-rā€“r-- 1 root wheel 3252 Apr 28 17:21 dockerhub-vip.crt

> docker pull dockerhub.xyz.com/me/hello-world
Using default tag: latest
Error response from daemon: Get https-//dockerhub.xyz.com/v1/_ping: x509: certificate signed by unknown authority

PS: had to modify some utls to workaround the limitation of ā€œno more than 2 lins for newbie usersā€

> pinata diagnose -u
OS X: version 10.11.4 (build: 15E65)
Docker.app: version v1.11.0-beta9
Running diagnostic tests:
[OK] docker-cli
[OK] Moby booted
[OK] driver.amd64-linux
[OK] vmnetd
[OK] osxfs
[OK] db
[OK] slirp
[OK] menubar
[OK] environment
[OK] Docker
[OK] VT-x
Docker logs are being collected into /tmp/20160429-121405.tar.gz
Most specific failure is: No error was detected
Your unique id is: DF002BF1-640F-4BF2-85CB-43B26EE8E035

Ok, I followed the suggestion in Adding (self signed) certificates to copy certificates inside the VM. It worked which is great, but the solution did not survive Docker restart.

Two questions:

- How can the certs be made persistent
- Is there a way to automate/script the certs upload and deployment

BTW, I copied the root CA certs to /usr/local/share/ca-certificates and ran update-ca-certificates. I donā€™t think that has any impact on the (lack of) persistence of the uploaded certs.

All of the above seem to correlate with the pinned-topic:

Can we migrate the conversation there?

I donā€™t think we can move this to an issue dealing with an insecure registry. It is dealing with a secure registry. I do not want to disable certificate validation for my private registry. The last thing I need is to be susceptible to a man in the middle attack with my docker registry. We really need a viable option for dealing with CA certs being added to the VM.

We hear you loud and clear. We absolutely need a to find a way of loading certificates in to the VM in such a way that they persist over reboot/updates. Weā€™re working on it, and Iā€™ll be sure to post an update here when weā€™ve got something to show you! Thanks for trying Docker for Mac!

8 Likes

Adding another +1 to this, itā€™s critical for us if weā€™re going to have our engineers using Docker for Mac.

Is it possible to load certificate from the System keychain ? I installed my companyā€™s certificates in the System keychain but they are not forwarded to the docker daemon.

Iā€™ve installed our certs to both the login and system keychains.
Using B2D/Docker-Machine; certs worked just fine.
Using the native client though; I get the following from our internal Secure Quay Repository:
docker pull registry.xyz.int/{PROJECT/{IMAGE}
Using default tag: latest
Error response from daemon: Get https://registry.xyz.int/v1/_ping: x509: certificate signed by unknown authority

Iā€™m able to pull from hub.docker.com just fine. This really needs to be fixed for the native client to be of any use in the enterprise.

Yes, I am surprised this has not gotten more attention. If youā€™re enterprise is using Private CA certs (and I believe many are or will be), this is a show stopper.

Ideally Docker for Mac would make use of all available CA certs from the Keychain. Definitely one to sort out before the end of the Beta :slight_smile:

3 Likes

Bump +1. This is a critical feature that is stopping our adoption of Docker for Mac.

+1 . We use a corporate internal C.A. for all certs and I canā€™t really get around that . Hence I can only connect to my private registries if I tick ā€œinsecureā€

And another +1 here. Loving the Beta, but we really do need this one please.

Same here. We need to be able to pull from our local, signed-with-a-CA-cert registry and we canā€™t.

I first reported this back in April. As others have said, this is a show-stopper for our organization. Is there any official update on the status or plans to fix?

so there is a workaround; though not ideal; it works.

  • Go to Moby > Preferences > Advanced
  • Click the ā€˜+ā€™ under Insecure Registries.
  • Enter in the fqdn of your registry; ex: registry.xyz.com
  • Then Click the ā€˜+ā€™ under Registry Mirrors
  • Enter in the Secure URL to your registry; ex: https://registry.xyz.com
  • Click Apply & Restart

This should get it working for you.

3 Likes

Thank you. I should have mentioned I am now using that as a workaround but frankly itā€™s too reminiscent of the command line option that too many tutorials start off with. ā€œLetā€™s ignore the security issues for now and weā€™ll get back to it laterā€ thinking. Itā€™s been my experience that something potentially bad happens before ā€œlaterā€ gets here. Itā€™s the type of option I donā€™t like to discuss. :frowning:

It really needs to be addressed properly.

Having the same problem. Hoping to see this resolved.

I agree; it is something that really needs to be addressed by the core Docker team; and why they have yet to chime in on this thread really has be concerned for the native OSX and WIN clients future.
Sure; they removed the need for B2D; but they are still utilizing a VM; in both OSā€™s. xhyve for OSX, and the WIN client requires HyperV.

Iā€™ve also tried the method of running the docker container which injects the certs into the VM. But I had also set the insecure and mirror settings at the same time; so not sure if the container injection had any effect or not.