Docker Community Forums

Share and learn in the Docker community.

TLS: bad certificate error

Hello,

My setup is a bit complex, I’ll try to make it clear with a little drawing.

I am trying to use docker-compose in a Gitlab CI script. The goal is to start some containers on some distant hosts from the CI script. But I have an error tls: bad certificate.

Here is the console log of the CI:

$ docker-machine version

docker-machine version 0.16.0, build 702c267f

$ docker-machine create --driver generic --generic-ip-address "$DISTANT_HOST_IP" --generic-ssh-key "$DISTANT_HOST_KEY" --generic-ssh-user "$DISTANT_HOST_USER" my-host || /bin/true

Creating CA: /root/.docker/machine/certs/ca.pem
Creating client certificate: /root/.docker/machine/certs/cert.pem
Running pre-create checks...
Creating machine...
(my-host) Importing SSH key...
(my-host) Couldn't copy SSH public key : unable to copy ssh key: open /builds/[hidden username]/[hidden project name].tmp/DISTANT_HOST_KEY.pub: no such file or directory
Waiting for machine to be running, this may take a few minutes...
Detecting operating system of created instance...
Waiting for SSH to be available...
Detecting the provisioner...
Provisioning with debian...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Checking connection to Docker...
The default lines below are for a sh/bash shell, you can specify the shell you're using, with the --shell flag.

Error creating machine: Error checking the host: Error checking and/or regenerating the certs: There was an error validating certificates for host "[hidden IP]:2376": remote error: tls: bad certificate
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

$ ls -la /root/.docker/machine/certs/

total 24
drwx------    2 root     root          4096 Jul 26 13:02 .
drwx------    4 root     root          4096 Jul 26 13:02 ..
-rw-------    1 root     root          1675 Jul 26 13:02 ca-key.pem
-rw-r--r--    1 root     root          1038 Jul 26 13:02 ca.pem
-rw-r--r--    1 root     root          1078 Jul 26 13:02 cert.pem
-rw-------    1 root     root          1675 Jul 26 13:02 key.pem

$ docker-machine regenerate-certs --client-certs --force my-host

Regenerating TLS certificates
Regenerating local certificates
Waiting for SSH to be available...
Detecting the provisioner...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...

$ eval `docker-machine env my-host`

Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "[hidden IP]:2376": remote error: tls: bad certificate
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

I tried the same commands from another host and it works perfectly. So there is something wrong because of the CI but I don’t know how to get more information about it…

If I can provide some more details, do not hesitate to ask.

Thank you.