Docker Community Forums

Share and learn in the Docker community.

Private Certificate Authority SSL certs


(Carl J. Mosca) #1

Expected behavior

Docker repo has a Private CA generated SSL cert which works with Docker on Linux and boot2docker/docker machine on OS X. It should also work with Docker OS X beta if certs are installed correctly. I assume I do not have the root and intermediate certs installed correctly

Actual behavior

certificate signed by unknown authority error

Information

  • the output of:
    • pinata diagnose -u on OSX
    • DockerDebugInfo.ps1 using Powershell on Windows
  • a reproducible case if this is a bug, Dockerfiles FTW
  • page URL if this is a docs issue or the name of a man page
  • host distribution and version ( OSX 10.10.x, OSX 10.11.x, Windows, etc )

Steps to reproduce the behavior


(Misho Krastev) #2

I am seeing same problem on Mac – unable to connect to private docker registry with properly signed SSL certificate.

Boot2docker VM (after appropriate setup) works w/o problems with the registry, same for Linux clients. No such luck with Docker for Mac. Connection with curl goes through but docker-pull does not. Placing root CA certs in /etc/docker/certs.d/ does not bring any improvements.

using system root CA certs

> curl -v https://dockerhub.xyz.com

  • Rebuilt URL to: https-//dockerhub.xyz.com/
  • Trying 10.24.0.106…
  • Connected to dockerhub.xyz.com (10.24.0.106) port 443 (#0)
  • TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate: dockerhub-vip.xyz.com
  • Server certificate: xyz ca-1
  • Server certificate: xyz root CA

GET / HTTP/1.1
Host: dockerhub.xyz.com
User-Agent: curl/7.43.0
Accept: /

< HTTP/1.1 302 Found
< Server: nginx/1.8.0
< Date: Fri, 29 Apr 2016 00:15:43 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 29
< Connection: keep-alive
< Cache-Control: max-age=0, no-cache
< Location: /login
< Strict-Transport-Security: max-age=31536000
<
Found.

> docker pull dockerhub.xyz.com/me/hello-world
Using default tag: latest
Error response from daemon: Get https-//dockerhub.xyz.com/v1/_ping: x509: certificate signed by unknown authority

after placing root CA certs to /etc/docker/certs.d

> ls -l /etc/docker/certs.d/dockerhub.xyz.com/
total 24
-rw-r–r-- 1 root wheel 2842 Apr 28 17:27 xyz ca-1.crt
-rw-r–r-- 1 root wheel 1946 Apr 28 17:27 xyz root CA.crt
-rw-r–r-- 1 root wheel 3252 Apr 28 17:21 dockerhub-vip.crt

> docker pull dockerhub.xyz.com/me/hello-world
Using default tag: latest
Error response from daemon: Get https-//dockerhub.xyz.com/v1/_ping: x509: certificate signed by unknown authority

PS: had to modify some utls to workaround the limitation of “no more than 2 lins for newbie users”

> pinata diagnose -u
OS X: version 10.11.4 (build: 15E65)
Docker.app: version v1.11.0-beta9
Running diagnostic tests:
[OK] docker-cli
[OK] Moby booted
[OK] driver.amd64-linux
[OK] vmnetd
[OK] osxfs
[OK] db
[OK] slirp
[OK] menubar
[OK] environment
[OK] Docker
[OK] VT-x
Docker logs are being collected into /tmp/20160429-121405.tar.gz
Most specific failure is: No error was detected
Your unique id is: DF002BF1-640F-4BF2-85CB-43B26EE8E035


(Misho Krastev) #3

Ok, I followed the suggestion in Adding (self signed) certificates to copy certificates inside the VM. It worked which is great, but the solution did not survive Docker restart.

Two questions:

- How can the certs be made persistent
- Is there a way to automate/script the certs upload and deployment

BTW, I copied the root CA certs to /usr/local/share/ca-certificates and ran update-ca-certificates. I don’t think that has any impact on the (lack of) persistence of the uploaded certs.


(Frenchben) #4

All of the above seem to correlate with the pinned-topic:

Can we migrate the conversation there?


(Adam Englander) #5

I don’t think we can move this to an issue dealing with an insecure registry. It is dealing with a secure registry. I do not want to disable certificate validation for my private registry. The last thing I need is to be susceptible to a man in the middle attack with my docker registry. We really need a viable option for dealing with CA certs being added to the VM.


(Dave Tucker) #6

We hear you loud and clear. We absolutely need a to find a way of loading certificates in to the VM in such a way that they persist over reboot/updates. We’re working on it, and I’ll be sure to post an update here when we’ve got something to show you! Thanks for trying Docker for Mac!


(Masonck) #7

Adding another +1 to this, it’s critical for us if we’re going to have our engineers using Docker for Mac.


(Hypnoce) #8

Is it possible to load certificate from the System keychain ? I installed my company’s certificates in the System keychain but they are not forwarded to the docker daemon.


(Krylon360v2) #9

I’ve installed our certs to both the login and system keychains.
Using B2D/Docker-Machine; certs worked just fine.
Using the native client though; I get the following from our internal Secure Quay Repository:
docker pull registry.xyz.int/{PROJECT/{IMAGE}
Using default tag: latest
Error response from daemon: Get https://registry.xyz.int/v1/_ping: x509: certificate signed by unknown authority

I’m able to pull from hub.docker.com just fine. This really needs to be fixed for the native client to be of any use in the enterprise.


(Carl J. Mosca) #10

Yes, I am surprised this has not gotten more attention. If you’re enterprise is using Private CA certs (and I believe many are or will be), this is a show stopper.


(Brad Macpherson) #11

Ideally Docker for Mac would make use of all available CA certs from the Keychain. Definitely one to sort out before the end of the Beta :slight_smile:


(Degan) #12

Bump +1. This is a critical feature that is stopping our adoption of Docker for Mac.


(Kevinlong206) #13

+1 . We use a corporate internal C.A. for all certs and I can’t really get around that . Hence I can only connect to my private registries if I tick “insecure”


(Rocketeer125) #14

And another +1 here. Loving the Beta, but we really do need this one please.


(Joe McMahon) #15

Same here. We need to be able to pull from our local, signed-with-a-CA-cert registry and we can’t.


(Carl J. Mosca) #16

I first reported this back in April. As others have said, this is a show-stopper for our organization. Is there any official update on the status or plans to fix?


(Krylon360v2) #17

so there is a workaround; though not ideal; it works.

  • Go to Moby > Preferences > Advanced
  • Click the ‘+’ under Insecure Registries.
  • Enter in the fqdn of your registry; ex: registry.xyz.com
  • Then Click the ‘+’ under Registry Mirrors
  • Enter in the Secure URL to your registry; ex: https://registry.xyz.com
  • Click Apply & Restart

This should get it working for you.


(Carl J. Mosca) #18

Thank you. I should have mentioned I am now using that as a workaround but frankly it’s too reminiscent of the command line option that too many tutorials start off with. “Let’s ignore the security issues for now and we’ll get back to it later” thinking. It’s been my experience that something potentially bad happens before “later” gets here. It’s the type of option I don’t like to discuss. :frowning:

It really needs to be addressed properly.


(Starboarder2001) #19

Having the same problem. Hoping to see this resolved.


(Krylon360v2) #20

I agree; it is something that really needs to be addressed by the core Docker team; and why they have yet to chime in on this thread really has be concerned for the native OSX and WIN clients future.
Sure; they removed the need for B2D; but they are still utilizing a VM; in both OS’s. xhyve for OSX, and the WIN client requires HyperV.

I’ve also tried the method of running the docker container which injects the certs into the VM. But I had also set the insecure and mirror settings at the same time; so not sure if the container injection had any effect or not.