Documentation: How to add a self-signed certificate #347
Comments
oh wow. I've not gone there myself, so it needs someone to spend some time nutting out the details :/ |
I think you might need to rebuild the image with your certificate in it. |
I can see a bunch of preinstalled certificates in /usr/local/etc/ssl/certs/, but I just can't figure out how to add my own. I think in Ubuntu/Debian, one would copy it there and run "update-ca-certificates". Perhaps that command could be added to boot2docker? |
The certificates are installed when unpacking the In any case, you'll need to execute these on your own
|
OR, you can use your persistence partition and add the data and scripts to |
To add osx-host$ boot2docker ssh
# Picture of a whale
docker@boot2docker:~$ scp username@osx-host:Documents/mycert.pem /tmp
docker@boot2docker:~$ sudo -s
root@boot2docker:~$ mv /tmp/mycert.pem /usr/local/share/ca-certificates
root@boot2docker:~$ cd /etc/ssl/certs
root@boot2docker:/etc/ssl/certs$ ln -s /usr/local/share/ca-certificates/mycert.pem .
root@boot2docker:/etc/ssl/certs$ openssl x509 -hash -in mycert.pem
# This will output an 8 hex digit hash hhhhhhhh
docker@boot2docker:/etc/ssl/certs$ ln -s mycert.pem hhhhhhhh.0 I found this out by examining the |
I hope to be adding code to the boot2docker iso to generate the cert, and then export it to host system. |
@kfish I also had to append the cert to Though boot2docker uses tce, so I'm not sure if this will disappear if the machine is rebooted?. I'm using docker as a provider in vagrant. |
Have the documentation been resolved yet? I tried the instructions above in the boo2docker VM. But I only get an empty error when trying to do
boot2docker version information
|
It would be good to make this process significantly easier than it currently is, since as of 1.3.1 docker no longer allows connections to non-SSL registries. We need an easy way to deposit the certificate in a place that will persist, otherwise we will need to copy the cert each time we boot2docker up. |
@virtuald the boot2docker cli tool does all this for you automatically when you run the certificates are auto-generated during vm bootup, and then are copied to the right place - and and so I'm going to close this PR - i think its adding confusioin about manual steps you don't do anymore |
How does boot2docker know what certificates to use?. I thought this was about specifying custom certificates?. Is there a folder/place we need to put them to have boot2docker cli's grab them and place them in the vm? |
@SvenDowideit No, please open this ticket again. The certificates that boot2docker generates as of 1.3.x for the user is for connecting to the docker daemon, not a private docker registry with custom certificates. |
Indeed, this issue is about the other certificates. 👍 |
I realize this issue is about 'documentation', but the current process of adding a registry cert is annoying at best. I would recommend adding yet another boot2docker command (maybe addregistrycert) that copies the certificate to the right place on the permanent storage, and at boot time the iso copies all the certs to /etc/docker/certs.d/. For example, I'm using the following script in bootlocal.sh:
|
@virtuald nice suggestion - wanna make a PR? :) (and ug - sorry, i was trying to doo to much at once obviously) |
My go-fu is a bit weaker than I would like, and I have about 3 other projects that I'm behind on. However, should be easy enough for someone familiar with the codebase to do. ;) |
I see at least 3 approaches in this issue. I'm happy to do the work but which of them is the best practice?
|
I like option 3. |
+1 on option 3 |
1 similar comment
+1 on option 3 |
I'm having an issue that may be related, but I'm not sure: I work for an organization that has a certificate-rewriting proxy and it is getting in the way with my attempts to even use the public registry at Docker Hub. I am just learning Docker, so I'm curious whether the steps outlined in this PR discussion would also apply to my situation. http://stackoverflow.com/questions/27536180/docker-on-mac-behind-proxy-that-changes-ssl-certificate |
+1 on option 3 :) @pohl oh gads, basically, you're in an organisation that's attacking you. I would probably make a docker container that runs some kind of vpn like proxy (i'm thinking ssh) to talk to my own host out there on the internet. and then have the Docker daemon talk to that proxy container. (using |
I'm in the same situation, it basically involved manually putting the certificates in boot2dockers VM, not exactly elegant. Runninga VPN/ssh is most likely difficult in corporate land too, machines can only get to the internet through the proxies (that MITM ssl). So you can't exactly punch out via port 22 :S |
/me is evil and runs an ssh daemon on port 80. |
Even still, it has to go through a corporate proxy. So you are either muxing ssh over http (this sounds horrible!), or you have a special ssh server that works with CONNECT https calls. That technique may also draw the ire of the enterprisey security guys that are trying to MITM you anyway. My usually approach is make my apps use the corporate certs, If they want to inspect a whole bunch of binary data they are free to do it :) I imagine there is a way to get bootlocal to install the certs, but atm I'm personally having 0 success with having bootlocal.sh even run. |
oh? ok, then we need to work that out. The only persistent place on your b2d, is |
@varsy, Thank you! |
as far as I know boot2docker doesn't come with any certificate import tools, so this made it a bit difficult to add ssl certificate to your certificate bundle. But you can still do it manually.
sudo cp <your_crt_file> /usr/local/share/ca-certificates/
cat /usr/local/share/ca-certificates/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l
openssl x509 -noout -fingerprint -in /usr/local/share/ca-certificates/<your_crt_file>
sudo ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem
cd /etc/ssl/certs && sudo ln -s <the_previous_pem_simlink_you_created> `openssl x509 -noout -hash -in /usr/local/share/ca-certificates/<your_crt_file>`.0
sudo -i -u root
cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt
exit If you have done all the above step correctly you should get something like this (remember when you do the grep, grep for your crt file name without the file type. In my case I just grep "blue" short for "bluecoat") infinityadmin@mep-openstack1:/etc/ssl/certs$ ls -l /etc/ssl/certs | grep blue
lrwxrwxrwx 1 root root 12 Feb 5 07:56 37b52fd1.0 -> bluecoat.pem
lrwxrwxrwx 1 root root 45 Feb 5 07:56 bluecoat.pem -> /usr/local/share/ca-certificates/bluecoat.crt In my case For more information, you can read this article The final thing to do to have more assurance is to restart docker daemon sudo /etc/init.d/docker restart But again, I would still like to address that it would be great if boot2docker can come with a certificate bundle update tool like update-ca-certificates in Ubuntu or update-ca-trust in CentOS |
Hi, thanks for your input. This really helped a lot! Actually, this is the only working way for boot2docker. Two additions: Shouldn't this
rather be
?? Also, in this statement:
the last part should be
|
thanks @tobilarscheid, you are right 😄 I've fixed the typo ;). Cheers 👍 |
Holy cow, that works @Shuliyey! I do still need a copy of the *.pem files to be in /var/lib/boot2docker/certs as well but otherwise that was the magic voodoo to finally hit the official docker hub from inside a MITM certificate rewrite proxy. |
thank you @daagar , glad it worked 😄 . sorry I'm actually trying to understand the /var/lib/boot2docker/certs part, do you mean if the certificate is not in /var/lib/boot2docker/certs, you actually still won't be able to do docker pull/push (even with certificates updated in /etc/ssl/certs/)? Interesting case, does it apply for the both the case?
I believe the /var/lib/boot2docker repository is mainly used to provide the communication between the boot2docker guest vm and the host OS (Windows/Mac). So I'm trying to get a better understanding on how boot2docker manages its certificates verification you can do docker-machine ssh default to get into the boot2docker os vm 😄 |
thanks @Mickep76 +1 👍 the changes that's made to boot2docker / partition drive will be overwritten everytime docker-machine is restarted. So the /var/lib/boot2docker/bootlocal.sh is useful in this case to keep your changes.
sudo touch /var/lib/boot2docker/bootlocal.sh && sudo chmod +x /var/lib/boot2docker/bootlocal.sh
sudo mkdir /var/lib/boot2docker/certs
mv <your_crt_file> /var/lib/boot2docker/certs/
mkdir -p /etc/docker/certs.d/<your_docker_registry_url> && cp <your_crt_file_location> /etc/docker/certs.d/<your_docker_registry_url>/
# If terminal is actually the docker-machine VM terminal
sudo reboot
# if terminal is started using docker quick start terminal
docker-machine restart <machine_name> Note: In my case this is my contents in /var/lib/boot2docker/bootlocal.sh mkdir -p /etc/docker/certs.d/registry.mev-rancher.dev.tech.local && cp /var/lib/boot2docker/certs/radiance.crt /etc/docker/certs.d/registry.mev-rancher.dev.tech.local/ |
Thanks @Shuliyey. In my environment(Docker Toolbox 1.9.1i & Windows 7), copying certificate files to @ALL Hope you'll find it usefull. |
@kumlali nice, would be great also to integrate this into kitematic. If we can configure the proxy and ssl settings inside the kinematic gui (like in the settings page), would make proxy and certificate configuration much easier. |
ok, so since Boot2Docker 1.6 any certs you place in see: https://github.com/boot2docker/boot2docker/pull/807/files |
@Shuliyey thanks for this. My company performs a man in the middle attack, so I had to export the cert from windows certificate manager, copy it into my vm and use openssl to convert it from DER to PEM format with a .crt extension, then followed your instructions. |
If you're arriving here from Google, the above is the proper solution to, "How do I use self-signed certificates when using boot2docker?" Note, though, at the moment, only certificates that end with |
I've followed the self-signed cert instructions, used the certificate in an nginx proxy, added the cert in /var/lib/boot2docker/certs (actually in my boot2docker 1.11.2, that directory did not exist) and I still get x509: certificate signed by unknown authority |
@magnayn Did you reboot your boot2docker instance after adding your certificates to
Also, yes, by default there is no |
Good to know that the need to create the certs directory is normal. Yes, I rebooted the docker-machine. curl is perfectly happy if I tell it On Thu, Jun 16, 2016 at 4:54 PM, Chris Lasher notifications@github.com
|
Could you try these instructions? http://docker-saigon.github.io/post/Private-Registry-Setup/ it includes adding trust for self signed CA |
@magnayn interesting the boot2docker 1.11 version of docker should work if the certificate is placed in the /var/lib/boot2docker/certs if you could do the below and verify your certificate (which you put under /var/lib/boot2docker/certs) cat /var/lib/boot2docker/certs/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l # this should return 1 😄 |
container host does trust the certificate but the not the container itself
the container SHOULD trust it also. |
@softwarevamp - for containers to trust ca's from the host, mount the host certs dir and run |
In Boot2Docker (version 17.10.0-ce), for me it only worked when the certificate was called 'ca.crt' in a folder with hostname for which the certificate was used. So copy the certificate as follows: |
In Boot2Docker 18.05.0-ce using self-signed certificates it seems to be enough by copying the
|
I'm trying to use a private Docker image registry with a self-signed certificate. But I can't find documentation how to add the self-signed certificate to boot2docker, so that the Docker client would accept it.
The text was updated successfully, but these errors were encountered: