Docker repo has a Private CA generated SSL cert which works with Docker on Linux and boot2docker/docker machine on OS X. It should also work with Docker OS X beta if certs are installed correctly. I assume I do not have the root and intermediate certs installed correctly
Actual behavior
certificate signed by unknown authority error
Information
the output of:
pinata diagnose -u on OSX
DockerDebugInfo.ps1 using Powershell on Windows
a reproducible case if this is a bug, Dockerfiles FTW
page URL if this is a docs issue or the name of a man page
host distribution and version ( OSX 10.10.x, OSX 10.11.x, Windows, etc )
I am seeing same problem on Mac ā unable to connect to private docker registry with properly signed SSL certificate.
Boot2docker VM (after appropriate setup) works w/o problems with the registry, same for Linux clients. No such luck with Docker for Mac. Connection with curl goes through but docker-pull does not. Placing root CA certs in /etc/docker/certs.d/ does not bring any improvements.
PS: had to modify some utls to workaround the limitation of āno more than 2 lins for newbie usersā
> pinata diagnose -u
OS X: version 10.11.4 (build: 15E65)
Docker.app: version v1.11.0-beta9
Running diagnostic tests:
[OK] docker-cli
[OK] Moby booted
[OK] driver.amd64-linux
[OK] vmnetd
[OK] osxfs
[OK] db
[OK] slirp
[OK] menubar
[OK] environment
[OK] Docker
[OK] VT-x
Docker logs are being collected into /tmp/20160429-121405.tar.gz
Most specific failure is: No error was detected
Your unique id is: DF002BF1-640F-4BF2-85CB-43B26EE8E035
Ok, I followed the suggestion in Adding (self signed) certificates to copy certificates inside the VM. It worked which is great, but the solution did not survive Docker restart.
Two questions:
- How can the certs be made persistent - Is there a way to automate/script the certs upload and deployment
BTW, I copied the root CA certs to /usr/local/share/ca-certificates and ran update-ca-certificates. I donāt think that has any impact on the (lack of) persistence of the uploaded certs.
I donāt think we can move this to an issue dealing with an insecure registry. It is dealing with a secure registry. I do not want to disable certificate validation for my private registry. The last thing I need is to be susceptible to a man in the middle attack with my docker registry. We really need a viable option for dealing with CA certs being added to the VM.
We hear you loud and clear. We absolutely need a to find a way of loading certificates in to the VM in such a way that they persist over reboot/updates. Weāre working on it, and Iāll be sure to post an update here when weāve got something to show you! Thanks for trying Docker for Mac!
Is it possible to load certificate from the System keychain ? I installed my companyās certificates in the System keychain but they are not forwarded to the docker daemon.
Iāve installed our certs to both the login and system keychains.
Using B2D/Docker-Machine; certs worked just fine.
Using the native client though; I get the following from our internal Secure Quay Repository:
docker pull registry.xyz.int/{PROJECT/{IMAGE}
Using default tag: latest
Error response from daemon: Get https://registry.xyz.int/v1/_ping: x509: certificate signed by unknown authority
Iām able to pull from hub.docker.com just fine. This really needs to be fixed for the native client to be of any use in the enterprise.
Yes, I am surprised this has not gotten more attention. If youāre enterprise is using Private CA certs (and I believe many are or will be), this is a show stopper.
+1 . We use a corporate internal C.A. for all certs and I canāt really get around that . Hence I can only connect to my private registries if I tick āinsecureā
I first reported this back in April. As others have said, this is a show-stopper for our organization. Is there any official update on the status or plans to fix?
Thank you. I should have mentioned I am now using that as a workaround but frankly itās too reminiscent of the command line option that too many tutorials start off with. āLetās ignore the security issues for now and weāll get back to it laterā thinking. Itās been my experience that something potentially bad happens before ālaterā gets here. Itās the type of option I donāt like to discuss.
I agree; it is something that really needs to be addressed by the core Docker team; and why they have yet to chime in on this thread really has be concerned for the native OSX and WIN clients future.
Sure; they removed the need for B2D; but they are still utilizing a VM; in both OSās. xhyve for OSX, and the WIN client requires HyperV.
Iāve also tried the method of running the docker container which injects the certs into the VM. But I had also set the insecure and mirror settings at the same time; so not sure if the container injection had any effect or not.