X509 authority fail on jenkins (works standalone)

Hey there,

I had a hard time googling this one, as most people just have broken certificates… so let me describe the essentials of my setup:

  • docker TLS-setup (works fine)
  • jenkins uses the docker-plugin to create agents with the client certificate connecting to the docker host (that works fine, too)
  • jenkins master and docker daemon do not run on the same host.
  • a custom jenkins image with docker installed inside is being used
  • docker host version: 18.xx, docker agent: at least for now 17.xx (will update later on, as it worked a few times before, so this doesn’t seem to affect the problem)
  • env variables DOCKER_HOST, DOCKER_TLS_VERIFY and DOCKER_CERT_PATH set inside jenkins job

Error message I get when trying to run docker inside the container:

$ docker -l debug images
error during connect: Get https://my-host:2376/v1.35/images/json: x509: certificate signed by unknown authority

Running env confirms that the variables are set. Also, docker help shows the certificates as “default” for the tls arguments. If I attach to the running container (as the same user), set the env vars and run the docker images command, everything works as expected.

The certs seem to be fine, I had it running once, but I changed stuff in jenkins which seemed to affect this functionality (but shouldn’t).

So my question is: how can I bisect that further? What can possibly interfere with the validation of the host CA?

Thanks in advance

edit: curl, given cacert, cert and key works fine on the host (the image is missing curl), openssl is passing as well both on host and container. I don’t know what docker does.

Well, I switched from alpine to debian for the jenkins slave and the issue disappeared. I’ll probably consider alpine another time again, but it’s an optimization, and therefore not worth the trouble right now.