Docker Community Forums

Share and learn in the Docker community.

Where to place client certificates for secure docker registry?


(Dlynch158) #1

Hello,

I am trying to follow this guide here:

But the directory /etc/docker does not exist on Docker for Mac (I’ve tried creating it and placing the necessary files, no help).

How do I add my client certificates and certificate authority?


(Michael Friis) #2

Certs added to the OS X keychain are automatically added by Docker for Mac, details here: https://docs.docker.com/docker-for-mac/faqs/#how-do-i-add-custom-ca-certificates


(Noderunner) #3

I don’t think this works for client certificates. The latest Docker for Mac Beta 1.13-0-rc2 just gives me a handshake failure. It may be using the certs I have installed to trust the server, but it’s not sending my client certificate when it tries to connect.


(Vmeijer) #4

If you don’t mind ignoring the failed TLS handshake, you can try the solution posted here: http://stackoverflow.com/a/39254366/2915851

Basically add your registry URL as allowed insecure connection in the Docker gui:

"insecure-registries": [
    "your.registry.com:5000"
 ],

At least in Windows this is found under Settings… --> ‘Docker Daemon’ tab


(Noderunner) #5

If I’m understanding dlynch158 correctly, he’s having the same problem I’m having with Docker for Mac, which doesn’t have anything to do with insecure registries. The problem is that if you have your private registry set up such that it only allows clients to connect if they provide a valid client certificate, the current Docker for Mac setup has no way to provide a client certificate when attempting to connect to the registry server.

This is a common set up if you want to expose your registry to the internet, but you don’t want un-authorized clients connecting to it.

On a standard Linux install of docker, you can place your client certificate and key in /etc/docker/certs.d/registry-name/ and name them “client.key” and “client.cert”. They both must be in PEM format, and the key must not have a passphrase on it. When you do this, your docker daemon will use that client key/certificate when it connects to the appropriate registry. The registry will then verifiy that the client certificate is trusted and then allow the connection.

There is no current way to do this with Docker for Mac that I’m aware of. Our users can’t use Docker for Mac until this functionality becomes available.


(Hobti01) #6

There are the following open issues:
Docker for Mac: https://github.com/docker/for-mac/issues/1320
Docker for Windows: https://github.com/docker/for-win/issues/569

A few workarounds for Mac are listed in the issue.


(Ric1510) #7

Topic : How to authenticate client using TLS
Docker Repository is created on server using end entity certs and keys generated using openssl
On client I am trying to pull image from server Repository and able to authenticate server not client .
what is the procedure to authenticate client by server using TLS ? Is there any configuration required on server to authenticate client , If yes ,Please let me know.