I’m attempting to use docker on my windows 7 laptop behind our corporate firewall. I can run the terminal in windows 7, but I get x509 errors when I attempt to pull images:
docker: Error while pulling image: Get https://index.docker.io/v1/repositories/dockerfile/java/images: x509: certificate signed by unknown authority.
I know I need to add in our corporate certificate into the cert store that the Docker Quickstart Terminal uses. I just don’t know where the cert store for the mingw64 is. It appears that Docker and Git share the mingw64 installation, but there appear to be several places where the cert store live. For Git, it is specified in the Git config. I’m not sure where the cert store is for Docker Quickstart Terminal.
The cert store is actually inside the boot2docker VM that is created by docker-machine, which is called out to from the quickstart terminal. Your windows userspace docker client only communicates with the docker daemon and doesn’t talk to the registry.
I would expect that your boot2docker VM should already trust this certificate. This suggests to me that perhaps your network has some sort of firewall that is trying to mitm your https connection out to the docker hub.
If you really do need to install a certificate authority for some reason, the instructions here should cover the case for your boot2docker VM: https://docs.docker.com/docker-trusted-registry/configure/config-security/#docker-machine-and-boot2docker-1
Hey Jeff, Thanks for your answer. I do have a corporate mitm scenario. I need to add our corporate cert to the CA store. I read the docs you point me to and they suggest to add the --insecure-registry in the EXTRA_ARGS of the boot2docker profile. This did not solve the error for me. I made the change and restarted the Virtual Box VM and the docker cli and still got the error.
Feels like I need to add my corporate cert in. Can I just append to the /var/lib/boot2docker/ca.pem?
Whoops, I linked you to the wrong anchor on that document:
https://docs.docker.com/docker-trusted-registry/configure/config-security/#install-registry-certificates-on-client-docker-daemons - there is a boot2docker section here that talks about how to actually add the certificate. The
--insecure-registry option is not what you want to do.
Thanks Jeff. After some fumbling around with the documents you pointed me to, I was able to get my cert to get picked up in the CA list when the docker instance starts. All was good after that and I was able to pull from the docker repo.