Docker repo has a Private CA generated SSL cert which works with Docker on Linux and boot2docker/docker machine on OS X. It should also work with Docker OS X beta if certs are installed correctly. I assume I do not have the root and intermediate certs installed correctly
Actual behavior
certificate signed by unknown authority error
Information
the output of:
pinata diagnose -u on OSX
DockerDebugInfo.ps1 using Powershell on Windows
a reproducible case if this is a bug, Dockerfiles FTW
page URL if this is a docs issue or the name of a man page
host distribution and version ( OSX 10.10.x, OSX 10.11.x, Windows, etc )
I am seeing same problem on Mac – unable to connect to private docker registry with properly signed SSL certificate.
Boot2docker VM (after appropriate setup) works w/o problems with the registry, same for Linux clients. No such luck with Docker for Mac. Connection with curl goes through but docker-pull does not. Placing root CA certs in /etc/docker/certs.d/ does not bring any improvements.
PS: had to modify some utls to workaround the limitation of “no more than 2 lins for newbie users”
> pinata diagnose -u
OS X: version 10.11.4 (build: 15E65)
Docker.app: version v1.11.0-beta9
Running diagnostic tests:
[OK] docker-cli
[OK] Moby booted
[OK] driver.amd64-linux
[OK] vmnetd
[OK] osxfs
[OK] db
[OK] slirp
[OK] menubar
[OK] environment
[OK] Docker
[OK] VT-x
Docker logs are being collected into /tmp/20160429-121405.tar.gz
Most specific failure is: No error was detected
Your unique id is: DF002BF1-640F-4BF2-85CB-43B26EE8E035
Ok, I followed the suggestion in Adding (self signed) certificates to copy certificates inside the VM. It worked which is great, but the solution did not survive Docker restart.
Two questions:
- How can the certs be made persistent - Is there a way to automate/script the certs upload and deployment
BTW, I copied the root CA certs to /usr/local/share/ca-certificates and ran update-ca-certificates. I don’t think that has any impact on the (lack of) persistence of the uploaded certs.
I don’t think we can move this to an issue dealing with an insecure registry. It is dealing with a secure registry. I do not want to disable certificate validation for my private registry. The last thing I need is to be susceptible to a man in the middle attack with my docker registry. We really need a viable option for dealing with CA certs being added to the VM.
We hear you loud and clear. We absolutely need a to find a way of loading certificates in to the VM in such a way that they persist over reboot/updates. We’re working on it, and I’ll be sure to post an update here when we’ve got something to show you! Thanks for trying Docker for Mac!
Is it possible to load certificate from the System keychain ? I installed my company’s certificates in the System keychain but they are not forwarded to the docker daemon.
I’ve installed our certs to both the login and system keychains.
Using B2D/Docker-Machine; certs worked just fine.
Using the native client though; I get the following from our internal Secure Quay Repository:
docker pull registry.xyz.int/{PROJECT/{IMAGE}
Using default tag: latest
Error response from daemon: Get https://registry.xyz.int/v1/_ping: x509: certificate signed by unknown authority
I’m able to pull from hub.docker.com just fine. This really needs to be fixed for the native client to be of any use in the enterprise.
Yes, I am surprised this has not gotten more attention. If you’re enterprise is using Private CA certs (and I believe many are or will be), this is a show stopper.
+1 . We use a corporate internal C.A. for all certs and I can’t really get around that . Hence I can only connect to my private registries if I tick “insecure”
I first reported this back in April. As others have said, this is a show-stopper for our organization. Is there any official update on the status or plans to fix?
Thank you. I should have mentioned I am now using that as a workaround but frankly it’s too reminiscent of the command line option that too many tutorials start off with. “Let’s ignore the security issues for now and we’ll get back to it later” thinking. It’s been my experience that something potentially bad happens before “later” gets here. It’s the type of option I don’t like to discuss.
I agree; it is something that really needs to be addressed by the core Docker team; and why they have yet to chime in on this thread really has be concerned for the native OSX and WIN clients future.
Sure; they removed the need for B2D; but they are still utilizing a VM; in both OS’s. xhyve for OSX, and the WIN client requires HyperV.
I’ve also tried the method of running the docker container which injects the certs into the VM. But I had also set the insecure and mirror settings at the same time; so not sure if the container injection had any effect or not.
