I had a hard time googling this one, as most people just have broken certificates… so let me describe the essentials of my setup:
- docker TLS-setup (works fine)
- jenkins uses the docker-plugin to create agents with the client certificate connecting to the docker host (that works fine, too)
- jenkins master and docker daemon do not run on the same host.
- a custom jenkins image with docker installed inside is being used
- docker host version: 18.xx, docker agent: at least for now 17.xx (will update later on, as it worked a few times before, so this doesn’t seem to affect the problem)
- env variables DOCKER_HOST, DOCKER_TLS_VERIFY and DOCKER_CERT_PATH set inside jenkins job
Error message I get when trying to run docker inside the container:
$ docker -l debug images error during connect: Get https://my-host:2376/v1.35/images/json: x509: certificate signed by unknown authority
Running env confirms that the variables are set. Also, docker help shows the certificates as “default” for the tls arguments. If I attach to the running container (as the same user), set the env vars and run the docker images command, everything works as expected.
The certs seem to be fine, I had it running once, but I changed stuff in jenkins which seemed to affect this functionality (but shouldn’t).
So my question is: how can I bisect that further? What can possibly interfere with the validation of the host CA?
Thanks in advance
edit: curl, given cacert, cert and key works fine on the host (the image is missing curl), openssl is passing as well both on host and container. I don’t know what docker does.