New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation: How to add a self-signed certificate #347

Closed
kennu opened this Issue May 9, 2014 · 69 comments

Comments

Projects
None yet
@kennu

kennu commented May 9, 2014

I'm trying to use a private Docker image registry with a self-signed certificate. But I can't find documentation how to add the self-signed certificate to boot2docker, so that the Docker client would accept it.

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit May 10, 2014

Contributor

oh wow. I've not gone there myself, so it needs someone to spend some time nutting out the details :/

Contributor

SvenDowideit commented May 10, 2014

oh wow. I've not gone there myself, so it needs someone to spend some time nutting out the details :/

@steeve

This comment has been minimized.

Show comment
Hide comment
@steeve

steeve May 12, 2014

Contributor

I think you might need to rebuild the image with your certificate in it.

Contributor

steeve commented May 12, 2014

I think you might need to rebuild the image with your certificate in it.

@kennu

This comment has been minimized.

Show comment
Hide comment
@kennu

kennu May 12, 2014

I can see a bunch of preinstalled certificates in /usr/local/etc/ssl/certs/, but I just can't figure out how to add my own. I think in Ubuntu/Debian, one would copy it there and run "update-ca-certificates". Perhaps that command could be added to boot2docker?

kennu commented May 12, 2014

I can see a bunch of preinstalled certificates in /usr/local/etc/ssl/certs/, but I just can't figure out how to add my own. I think in Ubuntu/Debian, one would copy it there and run "update-ca-certificates". Perhaps that command could be added to boot2docker?

@steeve

This comment has been minimized.

Show comment
Hide comment
@steeve

steeve May 12, 2014

Contributor

The certificates are installed when unpacking the openssl.tcz TCL package.

In any case, you'll need to execute these on your own Dockerfile, the ISO rootfs is in $ROOTFS:

FROM boot2docker/boot2docker

RUN <whatever>
ADD mycertif $ROOTFS/....

RUN /make_iso.sh
CMD ["cat", "boot2docker.iso"]
Contributor

steeve commented May 12, 2014

The certificates are installed when unpacking the openssl.tcz TCL package.

In any case, you'll need to execute these on your own Dockerfile, the ISO rootfs is in $ROOTFS:

FROM boot2docker/boot2docker

RUN <whatever>
ADD mycertif $ROOTFS/....

RUN /make_iso.sh
CMD ["cat", "boot2docker.iso"]
@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit May 13, 2014

Contributor

OR, you can use your persistence partition and add the data and scripts to /var/lib/boot2docker and call the script from a /var/lib/boot2docker/bootlocal.sh which you create.

Contributor

SvenDowideit commented May 13, 2014

OR, you can use your persistence partition and add the data and scripts to /var/lib/boot2docker and call the script from a /var/lib/boot2docker/bootlocal.sh which you create.

@kfish

This comment has been minimized.

Show comment
Hide comment
@kfish

kfish Jul 10, 2014

To add mycert.pem (exported from your keychain on osx-host) to a running boot2docker, copy it over, symlink it and symlink its hash:

osx-host$ boot2docker ssh
# Picture of a whale
docker@boot2docker:~$ scp username@osx-host:Documents/mycert.pem /tmp
docker@boot2docker:~$ sudo -s
root@boot2docker:~$ mv /tmp/mycert.pem /usr/local/share/ca-certificates
root@boot2docker:~$ cd /etc/ssl/certs
root@boot2docker:/etc/ssl/certs$ ln -s /usr/local/share/ca-certificates/mycert.pem .
root@boot2docker:/etc/ssl/certs$ openssl x509 -hash -in mycert.pem
# This will output an 8 hex digit hash hhhhhhhh
docker@boot2docker:/etc/ssl/certs$ ln -s mycert.pem hhhhhhhh.0

I found this out by examining the c_rehash script, which update-ca-certificates would run if it and perl existed on boot2docker.

kfish commented Jul 10, 2014

To add mycert.pem (exported from your keychain on osx-host) to a running boot2docker, copy it over, symlink it and symlink its hash:

osx-host$ boot2docker ssh
# Picture of a whale
docker@boot2docker:~$ scp username@osx-host:Documents/mycert.pem /tmp
docker@boot2docker:~$ sudo -s
root@boot2docker:~$ mv /tmp/mycert.pem /usr/local/share/ca-certificates
root@boot2docker:~$ cd /etc/ssl/certs
root@boot2docker:/etc/ssl/certs$ ln -s /usr/local/share/ca-certificates/mycert.pem .
root@boot2docker:/etc/ssl/certs$ openssl x509 -hash -in mycert.pem
# This will output an 8 hex digit hash hhhhhhhh
docker@boot2docker:/etc/ssl/certs$ ln -s mycert.pem hhhhhhhh.0

I found this out by examining the c_rehash script, which update-ca-certificates would run if it and perl existed on boot2docker.

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Jul 14, 2014

Contributor

moby/moby#6890

I hope to be adding code to the boot2docker iso to generate the cert, and then export it to host system.

Contributor

SvenDowideit commented Jul 14, 2014

moby/moby#6890

I hope to be adding code to the boot2docker iso to generate the cert, and then export it to host system.

@btrepp

This comment has been minimized.

Show comment
Hide comment
@btrepp

btrepp Sep 8, 2014

@kfish I also had to append the cert to /etc/ssl/certs/ca-certificates.crt

Though boot2docker uses tce, so I'm not sure if this will disappear if the machine is rebooted?.

I'm using docker as a provider in vagrant.

btrepp commented Sep 8, 2014

@kfish I also had to append the cert to /etc/ssl/certs/ca-certificates.crt

Though boot2docker uses tce, so I'm not sure if this will disappear if the machine is rebooted?.

I'm using docker as a provider in vagrant.

@magnusart

This comment has been minimized.

Show comment
Hide comment
@magnusart

magnusart Oct 25, 2014

Have the documentation been resolved yet?

I tried the instructions above in the boo2docker VM. But I only get an empty error when trying to do docker login:

2014/10/25 22:52:50 Error response from daemon:

boot2docker version information

Boot2Docker-cli version: v1.3.0
Git commit: deafc19

magnusart commented Oct 25, 2014

Have the documentation been resolved yet?

I tried the instructions above in the boo2docker VM. But I only get an empty error when trying to do docker login:

2014/10/25 22:52:50 Error response from daemon:

boot2docker version information

Boot2Docker-cli version: v1.3.0
Git commit: deafc19
@virtuald

This comment has been minimized.

Show comment
Hide comment
@virtuald

virtuald Nov 4, 2014

It would be good to make this process significantly easier than it currently is, since as of 1.3.1 docker no longer allows connections to non-SSL registries. We need an easy way to deposit the certificate in a place that will persist, otherwise we will need to copy the cert each time we boot2docker up.

virtuald commented Nov 4, 2014

It would be good to make this process significantly easier than it currently is, since as of 1.3.1 docker no longer allows connections to non-SSL registries. We need an easy way to deposit the certificate in a place that will persist, otherwise we will need to copy the cert each time we boot2docker up.

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Nov 5, 2014

Contributor

@virtuald the boot2docker cli tool does all this for you automatically when you run boot2docker up

the certificates are auto-generated during vm bootup, and then are copied to the right place - and $(boot2docker shellinit) will set the 3 environment variables you need for the Docker client to just work.

and so I'm going to close this PR - i think its adding confusioin about manual steps you don't do anymore

Contributor

SvenDowideit commented Nov 5, 2014

@virtuald the boot2docker cli tool does all this for you automatically when you run boot2docker up

the certificates are auto-generated during vm bootup, and then are copied to the right place - and $(boot2docker shellinit) will set the 3 environment variables you need for the Docker client to just work.

and so I'm going to close this PR - i think its adding confusioin about manual steps you don't do anymore

@btrepp

This comment has been minimized.

Show comment
Hide comment
@btrepp

btrepp Nov 5, 2014

How does boot2docker know what certificates to use?. I thought this was about specifying custom certificates?.

Is there a folder/place we need to put them to have boot2docker cli's grab them and place them in the vm?

btrepp commented Nov 5, 2014

How does boot2docker know what certificates to use?. I thought this was about specifying custom certificates?.

Is there a folder/place we need to put them to have boot2docker cli's grab them and place them in the vm?

@virtuald

This comment has been minimized.

Show comment
Hide comment
@virtuald

virtuald Nov 5, 2014

@SvenDowideit No, please open this ticket again. The certificates that boot2docker generates as of 1.3.x for the user is for connecting to the docker daemon, not a private docker registry with custom certificates.

virtuald commented Nov 5, 2014

@SvenDowideit No, please open this ticket again. The certificates that boot2docker generates as of 1.3.x for the user is for connecting to the docker daemon, not a private docker registry with custom certificates.

@tianon tianon reopened this Nov 5, 2014

@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Nov 5, 2014

Contributor

Indeed, this issue is about the other certificates. 👍

Contributor

tianon commented Nov 5, 2014

Indeed, this issue is about the other certificates. 👍

@virtuald

This comment has been minimized.

Show comment
Hide comment
@virtuald

virtuald Nov 5, 2014

I realize this issue is about 'documentation', but the current process of adding a registry cert is annoying at best. I would recommend adding yet another boot2docker command (maybe addregistrycert) that copies the certificate to the right place on the permanent storage, and at boot time the iso copies all the certs to /etc/docker/certs.d/. For example, I'm using the following script in bootlocal.sh:

#!/bin/sh
sudo cp -r /var/lib/boot2docker/etc/docker /etc

virtuald commented Nov 5, 2014

I realize this issue is about 'documentation', but the current process of adding a registry cert is annoying at best. I would recommend adding yet another boot2docker command (maybe addregistrycert) that copies the certificate to the right place on the permanent storage, and at boot time the iso copies all the certs to /etc/docker/certs.d/. For example, I'm using the following script in bootlocal.sh:

#!/bin/sh
sudo cp -r /var/lib/boot2docker/etc/docker /etc
@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Nov 6, 2014

Contributor

@virtuald nice suggestion - wanna make a PR? :)

(and ug - sorry, i was trying to doo to much at once obviously)

Contributor

SvenDowideit commented Nov 6, 2014

@virtuald nice suggestion - wanna make a PR? :)

(and ug - sorry, i was trying to doo to much at once obviously)

@virtuald

This comment has been minimized.

Show comment
Hide comment
@virtuald

virtuald Nov 6, 2014

My go-fu is a bit weaker than I would like, and I have about 3 other projects that I'm behind on. However, should be easy enough for someone familiar with the codebase to do. ;)

virtuald commented Nov 6, 2014

My go-fu is a bit weaker than I would like, and I have about 3 other projects that I'm behind on. However, should be easy enough for someone familiar with the codebase to do. ;)

@metcalfc

This comment has been minimized.

Show comment
Hide comment
@metcalfc

metcalfc Nov 13, 2014

Contributor

I see at least 3 approaches in this issue. I'm happy to do the work but which of them is the best practice?

  1. append the cert to /etc/ssl/certs/ca-certificates.crt
  2. do the hash magic that update-ca-certificates would do
  3. copies all the certs to /etc/docker/certs.d/
Contributor

metcalfc commented Nov 13, 2014

I see at least 3 approaches in this issue. I'm happy to do the work but which of them is the best practice?

  1. append the cert to /etc/ssl/certs/ca-certificates.crt
  2. do the hash magic that update-ca-certificates would do
  3. copies all the certs to /etc/docker/certs.d/
@virtuald

This comment has been minimized.

Show comment
Hide comment
@virtuald

virtuald Nov 13, 2014

I like option 3.

virtuald commented Nov 13, 2014

I like option 3.

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Nov 13, 2014

+1 on option 3

thaJeztah commented Nov 13, 2014

+1 on option 3

@aseppala

This comment has been minimized.

Show comment
Hide comment
@aseppala

aseppala Nov 20, 2014

+1 on option 3

aseppala commented Nov 20, 2014

+1 on option 3

@pohl

This comment has been minimized.

Show comment
Hide comment
@pohl

pohl Dec 19, 2014

I'm having an issue that may be related, but I'm not sure: I work for an organization that has a certificate-rewriting proxy and it is getting in the way with my attempts to even use the public registry at Docker Hub. I am just learning Docker, so I'm curious whether the steps outlined in this PR discussion would also apply to my situation.

http://stackoverflow.com/questions/27536180/docker-on-mac-behind-proxy-that-changes-ssl-certificate

pohl commented Dec 19, 2014

I'm having an issue that may be related, but I'm not sure: I work for an organization that has a certificate-rewriting proxy and it is getting in the way with my attempts to even use the public registry at Docker Hub. I am just learning Docker, so I'm curious whether the steps outlined in this PR discussion would also apply to my situation.

http://stackoverflow.com/questions/27536180/docker-on-mac-behind-proxy-that-changes-ssl-certificate

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Dec 22, 2014

Contributor

+1 on option 3 :)

@pohl oh gads, basically, you're in an organisation that's attacking you. I would probably make a docker container that runs some kind of vpn like proxy (i'm thinking ssh) to talk to my own host out there on the internet. and then have the Docker daemon talk to that proxy container. (using --insecure-registry

Contributor

SvenDowideit commented Dec 22, 2014

+1 on option 3 :)

@pohl oh gads, basically, you're in an organisation that's attacking you. I would probably make a docker container that runs some kind of vpn like proxy (i'm thinking ssh) to talk to my own host out there on the internet. and then have the Docker daemon talk to that proxy container. (using --insecure-registry

@btrepp

This comment has been minimized.

Show comment
Hide comment
@btrepp

btrepp Dec 22, 2014

I'm in the same situation, it basically involved manually putting the certificates in boot2dockers VM, not exactly elegant.

Runninga VPN/ssh is most likely difficult in corporate land too, machines can only get to the internet through the proxies (that MITM ssl). So you can't exactly punch out via port 22 :S

btrepp commented Dec 22, 2014

I'm in the same situation, it basically involved manually putting the certificates in boot2dockers VM, not exactly elegant.

Runninga VPN/ssh is most likely difficult in corporate land too, machines can only get to the internet through the proxies (that MITM ssl). So you can't exactly punch out via port 22 :S

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Dec 22, 2014

Contributor

/me is evil and runs an ssh daemon on port 80.

Contributor

SvenDowideit commented Dec 22, 2014

/me is evil and runs an ssh daemon on port 80.

@btrepp

This comment has been minimized.

Show comment
Hide comment
@btrepp

btrepp Dec 23, 2014

Even still, it has to go through a corporate proxy. So you are either muxing ssh over http (this sounds horrible!), or you have a special ssh server that works with CONNECT https calls.

That technique may also draw the ire of the enterprisey security guys that are trying to MITM you anyway. My usually approach is make my apps use the corporate certs, If they want to inspect a whole bunch of binary data they are free to do it :)

I imagine there is a way to get bootlocal to install the certs, but atm I'm personally having 0 success with having bootlocal.sh even run.

btrepp commented Dec 23, 2014

Even still, it has to go through a corporate proxy. So you are either muxing ssh over http (this sounds horrible!), or you have a special ssh server that works with CONNECT https calls.

That technique may also draw the ire of the enterprisey security guys that are trying to MITM you anyway. My usually approach is make my apps use the corporate certs, If they want to inspect a whole bunch of binary data they are free to do it :)

I imagine there is a way to get bootlocal to install the certs, but atm I'm personally having 0 success with having bootlocal.sh even run.

@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Dec 23, 2014

Contributor

oh? ok, then we need to work that out. The only persistent place on your b2d, is /var/lib/boot2docker - a script called /var/lib/boot2docker/bootlocal.sh (and it can't be a bash script) will run at startup - though after the docker daemon has started, so you'll probably need to restart that...

Contributor

SvenDowideit commented Dec 23, 2014

oh? ok, then we need to work that out. The only persistent place on your b2d, is /var/lib/boot2docker - a script called /var/lib/boot2docker/bootlocal.sh (and it can't be a bash script) will run at startup - though after the docker daemon has started, so you'll probably need to restart that...

@btrepp

This comment has been minimized.

Show comment
Hide comment
@btrepp

btrepp Dec 23, 2014

I have managed to get it working with bootlocal.sh :) This is obviously dependant on my setup here (Im using fiddler2 to operate as an open proxy for local apps on my machine, and it is resigning the connection again). So if you are on windows and have a corporate proxy this should help you

> cat /var/lib/boot2docker/bootlocal.sh
#!/bin/sh

curl -s --resolve localhost:8888:10.0.2.2 http://localhost:8888/FiddlerRoot.cer | openssl x509 -inform der -outform pem -out /etc/ssl/certs/fiddler.pem
ln -s /etc/ssl/certs/fiddler.pem /etc/ssl/certs/`openssl x509 -hash -in /etc/ssl/certs/fiddler.pem -noout 2>/dev/null`.0
echo /etc/ssl/certs/fiddler.pem >> /etc/ssl/certs/ca-certificates.crt

echo "export http_proxy=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export https_proxy=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export HTTP_PROXY=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export HTTPS_PROXY=http://10.0.2.2:8888" >> /home/docker/.ashrc

It basically grabs the certificate from fiddler, runs it through openssl to be in openssl format and puts it where it needs to be. Then I set the proxy as needed.
I'm not 100% sure if the docker daemon would need to be restarted, and obviously it needs the profile persistance file setup to use the proxy too, but this should be workable with updates etc going forward.

btrepp commented Dec 23, 2014

I have managed to get it working with bootlocal.sh :) This is obviously dependant on my setup here (Im using fiddler2 to operate as an open proxy for local apps on my machine, and it is resigning the connection again). So if you are on windows and have a corporate proxy this should help you

> cat /var/lib/boot2docker/bootlocal.sh
#!/bin/sh

curl -s --resolve localhost:8888:10.0.2.2 http://localhost:8888/FiddlerRoot.cer | openssl x509 -inform der -outform pem -out /etc/ssl/certs/fiddler.pem
ln -s /etc/ssl/certs/fiddler.pem /etc/ssl/certs/`openssl x509 -hash -in /etc/ssl/certs/fiddler.pem -noout 2>/dev/null`.0
echo /etc/ssl/certs/fiddler.pem >> /etc/ssl/certs/ca-certificates.crt

echo "export http_proxy=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export https_proxy=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export HTTP_PROXY=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export HTTPS_PROXY=http://10.0.2.2:8888" >> /home/docker/.ashrc

It basically grabs the certificate from fiddler, runs it through openssl to be in openssl format and puts it where it needs to be. Then I set the proxy as needed.
I'm not 100% sure if the docker daemon would need to be restarted, and obviously it needs the profile persistance file setup to use the proxy too, but this should be workable with updates etc going forward.

@SvenDowideit SvenDowideit added this to the v1.5.0 milestone Dec 27, 2014

@spencerkohan

This comment has been minimized.

Show comment
Hide comment
@spencerkohan

spencerkohan Dec 31, 2014

I ended up using bootlocal.sh as well - it was pretty easy to just symlink to certs.d from a local directory with the expected structure:

#!/bin/sh

mkdir /etc/docker
ln -s /path/to/certs/dir /etc/docker/certs.d

The certificates just have to be somewhere accessible from inside the VM.

spencerkohan commented Dec 31, 2014

I ended up using bootlocal.sh as well - it was pretty easy to just symlink to certs.d from a local directory with the expected structure:

#!/bin/sh

mkdir /etc/docker
ln -s /path/to/certs/dir /etc/docker/certs.d

The certificates just have to be somewhere accessible from inside the VM.

@hairyhenderson

This comment has been minimized.

Show comment
Hide comment
@hairyhenderson

hairyhenderson Jan 21, 2015

Just wanted to add my experience since it took me so long to figure this out ;)

I decided to follow @steeve's advice and put my certs right in the image. @kfish's followup was also useful, except it took me a head-scratching hour to figure out why this wasn't working in the Dockerfile.

The problem was that /etc/ssl/certs/ca-certificates.crt gets overwritten at boot time, so I added a command to the /etc/init.d/rcS script.

Here's what I ended up with:

FROM boot2docker/boot2docker

RUN mkdir -p $ROOTFS/usr/local/share/ca-certificates/foo.com
COPY foo.crt $ROOTFS/usr/local/share/ca-certificates/foo.com
RUN mkdir -p $ROOTFS/usr/local/etc/ssl/certs && \
  cd $ROOTFS/usr/local/etc/ssl/certs && \
  ln -s /usr/local/share/ca-certificates/foo.com/foo.crt foo.crt && \
  export hash=`openssl x509 -hash -in $ROOTFS/usr/local/share/ca-certificates/foo.com/foo.crt | head -n1` && \
  ln -s foo.crt $hash.0 && \
  echo "cat /usr/local/share/ca-certificates/foo.com/foo.crt >> /usr/local/etc/ssl/certs/ca-certificates.crt" >> $ROOTFS/etc/init.d/rcS

RUN /make_iso.sh
CMD ["cat", "boot2docker.iso"]

hairyhenderson commented Jan 21, 2015

Just wanted to add my experience since it took me so long to figure this out ;)

I decided to follow @steeve's advice and put my certs right in the image. @kfish's followup was also useful, except it took me a head-scratching hour to figure out why this wasn't working in the Dockerfile.

The problem was that /etc/ssl/certs/ca-certificates.crt gets overwritten at boot time, so I added a command to the /etc/init.d/rcS script.

Here's what I ended up with:

FROM boot2docker/boot2docker

RUN mkdir -p $ROOTFS/usr/local/share/ca-certificates/foo.com
COPY foo.crt $ROOTFS/usr/local/share/ca-certificates/foo.com
RUN mkdir -p $ROOTFS/usr/local/etc/ssl/certs && \
  cd $ROOTFS/usr/local/etc/ssl/certs && \
  ln -s /usr/local/share/ca-certificates/foo.com/foo.crt foo.crt && \
  export hash=`openssl x509 -hash -in $ROOTFS/usr/local/share/ca-certificates/foo.com/foo.crt | head -n1` && \
  ln -s foo.crt $hash.0 && \
  echo "cat /usr/local/share/ca-certificates/foo.com/foo.crt >> /usr/local/etc/ssl/certs/ca-certificates.crt" >> $ROOTFS/etc/init.d/rcS

RUN /make_iso.sh
CMD ["cat", "boot2docker.iso"]
@irgeek

This comment has been minimized.

Show comment
Hide comment
@irgeek

irgeek Jan 22, 2015

I had to solve this for a second time today as I restarted the VM without realising the way I did it last time wouldn't be persisted. So I created /var/lib/boot2docker/certs/, chucked all of the private certs I need in there and added created /var/lib/boot2docker/bootlocal.sh to install them. Gisted for everyone's downloading pleasure: https://gist.github.com/irgeek/afb2e05775fff532f960

Some notes about the certs in the /var/lib/boot2docker/certs/ directory:

  • They need to be PEM formatted
  • If you're behind a corporate MITM proxy, you should to add all the certificates in the chain.
  • One cert per file. If you've been given a chain file, just split out the individual certs. Naming the files based on subject makes figuring out what's there so much easier too. For the lazy, the following commands will split a chain file into individual files and rename them based on the certificate subject:
mkdir certs
split -p BEGIN ${CHAIN_FILE} chain-cert-
for i in chain-cert-*; do mv $i certs/$(openssl x509 -noout -subject -in $i | grep -o "CN=.*" | cut -c4- | tr " /" "_"); done

irgeek commented Jan 22, 2015

I had to solve this for a second time today as I restarted the VM without realising the way I did it last time wouldn't be persisted. So I created /var/lib/boot2docker/certs/, chucked all of the private certs I need in there and added created /var/lib/boot2docker/bootlocal.sh to install them. Gisted for everyone's downloading pleasure: https://gist.github.com/irgeek/afb2e05775fff532f960

Some notes about the certs in the /var/lib/boot2docker/certs/ directory:

  • They need to be PEM formatted
  • If you're behind a corporate MITM proxy, you should to add all the certificates in the chain.
  • One cert per file. If you've been given a chain file, just split out the individual certs. Naming the files based on subject makes figuring out what's there so much easier too. For the lazy, the following commands will split a chain file into individual files and rename them based on the certificate subject:
mkdir certs
split -p BEGIN ${CHAIN_FILE} chain-cert-
for i in chain-cert-*; do mv $i certs/$(openssl x509 -noout -subject -in $i | grep -o "CN=.*" | cut -c4- | tr " /" "_"); done
@koliyo

This comment has been minimized.

Show comment
Hide comment
@koliyo

koliyo Feb 5, 2015

@irgeek Thank you, this setup works for me!
Before this I tried adding EXTRA_ARGS="--insecure-registry my.registry.domain:port"
to /var/lib/boot2docker/profile but this only solves half the problem, I still get the
x509: certificate signed by unknown authority response.

koliyo commented Feb 5, 2015

@irgeek Thank you, this setup works for me!
Before this I tried adding EXTRA_ARGS="--insecure-registry my.registry.domain:port"
to /var/lib/boot2docker/profile but this only solves half the problem, I still get the
x509: certificate signed by unknown authority response.

@hordemark

This comment has been minimized.

Show comment
Hide comment
@hordemark

hordemark Feb 12, 2015

@irgeek +1, works for me

hordemark commented Feb 12, 2015

@irgeek +1, works for me

@rickli1989

This comment has been minimized.

Show comment
Hide comment
@rickli1989

rickli1989 Feb 12, 2015

@irgeek +1, works for me

rickli1989 commented Feb 12, 2015

@irgeek +1, works for me

@roma86

This comment has been minimized.

Show comment
Hide comment
@roma86

roma86 Apr 3, 2015

Add my two cents worth. Connect docker to private registry unexpected hard procedure.
I have installed official docker-registry under nginx ssl proxy with basic auth.
Testing connection to this registry from my mac:

# port 80 redirect to 301 as setup
$ curl cwt-registry.com
<head><title>301 Moved Permanently</title></head>
# wrong auth password
$ curl --user kdocker:'**' --cacert ~/Downloads/ca.pem  https://cwt-registry.com
<head><title>401 Authorization Required</title></head>
# correct user/login
$ curl --user kdocker:'*****' --cacert ~/Downloads/ca.pem  https://cwt-registry.com
"\"docker-registry server\""
# v1/_ping also works
$ curl --user kdocker:'Ju3ke*3h499(sdj0)sd5e2' --cacert ~/Downloads/ca.pem  https://cwt-registry.com/v1/_ping
"{}"

I used the methods described @mickep76 and @irgeek

But every time get same error:

$ docker login cwt-registry.com

"Error response from daemon: v1 ping attempt failed with error: Get https://cwt-registry.com/v1/_ping ...
simply place the CA certificate at /etc/docker/certs.d/cwt-registry.com/ca.crt"

Follow this message i try this

docker@boot2docker:~$ sudo vi /var/lib/boot2docker/bootlocal.sh
sudo mkdir -p "/etc/docker/certs.d/cwt-registry.com"
sudo cp "/var/lib/boot2docker/certs/ca.pem" "/etc/docker/certs.d/cwt-registry.com/ca.crt"
exit

$ boot2docker restart
$ boot2docker ssh

docker@boot2docker:~$ sudo ls /etc/docker/certs.d/cwt-registry.com/
ca.crt

Finally same result.

I can not understand why is so hard.

I am sorry, @jacoelho can you explain you method of resolve this issue. I can run ubuntu container in way that you describe, but how it should help connect to private registry?

roma86 commented Apr 3, 2015

Add my two cents worth. Connect docker to private registry unexpected hard procedure.
I have installed official docker-registry under nginx ssl proxy with basic auth.
Testing connection to this registry from my mac:

# port 80 redirect to 301 as setup
$ curl cwt-registry.com
<head><title>301 Moved Permanently</title></head>
# wrong auth password
$ curl --user kdocker:'**' --cacert ~/Downloads/ca.pem  https://cwt-registry.com
<head><title>401 Authorization Required</title></head>
# correct user/login
$ curl --user kdocker:'*****' --cacert ~/Downloads/ca.pem  https://cwt-registry.com
"\"docker-registry server\""
# v1/_ping also works
$ curl --user kdocker:'Ju3ke*3h499(sdj0)sd5e2' --cacert ~/Downloads/ca.pem  https://cwt-registry.com/v1/_ping
"{}"

I used the methods described @mickep76 and @irgeek

But every time get same error:

$ docker login cwt-registry.com

"Error response from daemon: v1 ping attempt failed with error: Get https://cwt-registry.com/v1/_ping ...
simply place the CA certificate at /etc/docker/certs.d/cwt-registry.com/ca.crt"

Follow this message i try this

docker@boot2docker:~$ sudo vi /var/lib/boot2docker/bootlocal.sh
sudo mkdir -p "/etc/docker/certs.d/cwt-registry.com"
sudo cp "/var/lib/boot2docker/certs/ca.pem" "/etc/docker/certs.d/cwt-registry.com/ca.crt"
exit

$ boot2docker restart
$ boot2docker ssh

docker@boot2docker:~$ sudo ls /etc/docker/certs.d/cwt-registry.com/
ca.crt

Finally same result.

I can not understand why is so hard.

I am sorry, @jacoelho can you explain you method of resolve this issue. I can run ubuntu container in way that you describe, but how it should help connect to private registry?

@tlightsky

This comment has been minimized.

Show comment
Hide comment
@tlightsky

tlightsky May 26, 2015

@mickep76 +1,works well for me

tlightsky commented May 26, 2015

@mickep76 +1,works well for me

@lily93

This comment has been minimized.

Show comment
Hide comment
@lily93

lily93 Jun 16, 2015

in my case nothing is working - i am using boot2docker under windows..
i added the certificate in /etc/docker/certs.d// and in /usr/share/local/ca-certificates as .crt
and also in /etc/ssl/certs as .pem file

i also copied the .pem into .boot2docker/certs/boot2docker-vm..

restarted everything and still cannot login... via firefox i can ping the registry and in ubuntu everything works fine :/

please help!!!

lily93 commented Jun 16, 2015

in my case nothing is working - i am using boot2docker under windows..
i added the certificate in /etc/docker/certs.d// and in /usr/share/local/ca-certificates as .crt
and also in /etc/ssl/certs as .pem file

i also copied the .pem into .boot2docker/certs/boot2docker-vm..

restarted everything and still cannot login... via firefox i can ping the registry and in ubuntu everything works fine :/

please help!!!

@mkozjak

This comment has been minimized.

Show comment
Hide comment
@mkozjak

mkozjak commented Jul 7, 2015

@mickep76 +1, thanks!!

@adampats

This comment has been minimized.

Show comment
Hide comment
@adampats

adampats commented Jul 15, 2015

👍

@flychen50

This comment has been minimized.

Show comment
Hide comment
@flychen50

flychen50 commented Jul 23, 2015

@mickep76 thank you,+1

@daagar

This comment has been minimized.

Show comment
Hide comment
@daagar

daagar Aug 19, 2015

The solution presented by @irgeek above worked fine for docker 1.7.1/boot2docker - however, it seems to no longer be sufficient for Docker 1.8.1b via a Toolbox installation.

I've added the needed cert to /var/lib/boot2docker/certs, and created the necessary bootlocal.sh script. This does allow 'docker pull' to get past the x509 error. However, the pull itself still fails (from the client, with a 'Can't reach any registry endpoint'). The following shows the relevant excerpt form docker.log. Note that once outside of the company network on the same installation, a 'docker pull' works fine. I'm commenting here as I still believe it is something going wonky with the certs, but I can open this as a new issue if that's not the case.

time="2015-08-19T14:13:25.025194341Z" level=debug msg="Calling POST /images/crea
te"
time="2015-08-19T14:13:25.025268176Z" level=info msg="POST /v1.20/images/create?
fromImage=hello-world%3Alatest"
time="2015-08-19T14:13:25.025758796Z" level=debug msg="Trying to pull hello-worl
d from https://registry-1.docker.io v2"
time="2015-08-19T14:13:25.576184346Z" level=debug msg="Fetched 1 base graphs at
2015-08-19 14:13:25.57615336 +0000 UTC"
time="2015-08-19T14:13:25.584767097Z" level=debug msg="Reloaded graph with 3 gra
nts expiring at 2017-03-22 19:04:46.713978458 +0000 UTC"
time="2015-08-19T14:13:26.397998709Z" level=debug msg="Pulling tag from V2 regis
try: \"latest\""
time="2015-08-19T14:13:27.414716213Z" level=debug msg="v2 error: errcode.Error u
nauthorized: access to the requested resource is not authorized"
time="2015-08-19T14:13:27.415026858Z" level=debug msg="Error trying v2 registry:
 unauthorized: access to the requested resource is not authorized"
time="2015-08-19T14:13:27.415058513Z" level=debug msg="Trying to pull hello-worl
d from https://index.docker.io v1"
time="2015-08-19T14:13:27.483446594Z" level=debug msg="Fetched 1 base graphs at
2015-08-19 14:13:27.483413884 +0000 UTC"
time="2015-08-19T14:13:27.483511319Z" level=debug msg="hostDir: /etc/docker/cert
s.d/docker.io"
time="2015-08-19T14:13:27.484138172Z" level=debug msg="[registry] Calling GET ht
tps://index.docker.io/v1/repositories/library/hello-world/images"
time="2015-08-19T14:13:27.495658509Z" level=debug msg="Reloaded graph with 3 gra
nts expiring at 2017-03-22 19:04:46.713978458 +0000 UTC"
time="2015-08-19T14:13:29.542515521Z" level=debug msg="Retrieving the tag list"

time="2015-08-19T14:13:29.967607311Z" level=debug msg="Got status code 401 from
https://registry-1.docker.io/v1/repositories/library/hello-world/tags/latest"
time="2015-08-19T14:13:29.967762474Z" level=error msg="unable to get remote tags
: Could not reach any registry endpoint"
time="2015-08-19T14:13:29.968026579Z" level=debug msg="Not continuing with error
: Could not reach any registry endpoint"

daagar commented Aug 19, 2015

The solution presented by @irgeek above worked fine for docker 1.7.1/boot2docker - however, it seems to no longer be sufficient for Docker 1.8.1b via a Toolbox installation.

I've added the needed cert to /var/lib/boot2docker/certs, and created the necessary bootlocal.sh script. This does allow 'docker pull' to get past the x509 error. However, the pull itself still fails (from the client, with a 'Can't reach any registry endpoint'). The following shows the relevant excerpt form docker.log. Note that once outside of the company network on the same installation, a 'docker pull' works fine. I'm commenting here as I still believe it is something going wonky with the certs, but I can open this as a new issue if that's not the case.

time="2015-08-19T14:13:25.025194341Z" level=debug msg="Calling POST /images/crea
te"
time="2015-08-19T14:13:25.025268176Z" level=info msg="POST /v1.20/images/create?
fromImage=hello-world%3Alatest"
time="2015-08-19T14:13:25.025758796Z" level=debug msg="Trying to pull hello-worl
d from https://registry-1.docker.io v2"
time="2015-08-19T14:13:25.576184346Z" level=debug msg="Fetched 1 base graphs at
2015-08-19 14:13:25.57615336 +0000 UTC"
time="2015-08-19T14:13:25.584767097Z" level=debug msg="Reloaded graph with 3 gra
nts expiring at 2017-03-22 19:04:46.713978458 +0000 UTC"
time="2015-08-19T14:13:26.397998709Z" level=debug msg="Pulling tag from V2 regis
try: \"latest\""
time="2015-08-19T14:13:27.414716213Z" level=debug msg="v2 error: errcode.Error u
nauthorized: access to the requested resource is not authorized"
time="2015-08-19T14:13:27.415026858Z" level=debug msg="Error trying v2 registry:
 unauthorized: access to the requested resource is not authorized"
time="2015-08-19T14:13:27.415058513Z" level=debug msg="Trying to pull hello-worl
d from https://index.docker.io v1"
time="2015-08-19T14:13:27.483446594Z" level=debug msg="Fetched 1 base graphs at
2015-08-19 14:13:27.483413884 +0000 UTC"
time="2015-08-19T14:13:27.483511319Z" level=debug msg="hostDir: /etc/docker/cert
s.d/docker.io"
time="2015-08-19T14:13:27.484138172Z" level=debug msg="[registry] Calling GET ht
tps://index.docker.io/v1/repositories/library/hello-world/images"
time="2015-08-19T14:13:27.495658509Z" level=debug msg="Reloaded graph with 3 gra
nts expiring at 2017-03-22 19:04:46.713978458 +0000 UTC"
time="2015-08-19T14:13:29.542515521Z" level=debug msg="Retrieving the tag list"

time="2015-08-19T14:13:29.967607311Z" level=debug msg="Got status code 401 from
https://registry-1.docker.io/v1/repositories/library/hello-world/tags/latest"
time="2015-08-19T14:13:29.967762474Z" level=error msg="unable to get remote tags
: Could not reach any registry endpoint"
time="2015-08-19T14:13:29.968026579Z" level=debug msg="Not continuing with error
: Could not reach any registry endpoint"
@smalltown

This comment has been minimized.

Show comment
Hide comment
@smalltown

smalltown Sep 17, 2015

Just like @daagar said, I cannot workaround by the same method neither, when Docker version high than 1.8.1 via a Toolbox installation, the only thing I can do is to add EXTRA_ARGS="--insecure-registry https://#{Host Name}:#{Port Number}" parameter in the /var/lib/boot2docker/profile, and using docker-machine to restart the boot2docker, then I can use docker login feature...

smalltown commented Sep 17, 2015

Just like @daagar said, I cannot workaround by the same method neither, when Docker version high than 1.8.1 via a Toolbox installation, the only thing I can do is to add EXTRA_ARGS="--insecure-registry https://#{Host Name}:#{Port Number}" parameter in the /var/lib/boot2docker/profile, and using docker-machine to restart the boot2docker, then I can use docker login feature...

@livecano

This comment has been minimized.

Show comment
Hide comment
@livecano

livecano Sep 18, 2015

Can you guys confirm if the actual workaround on the documentation Using self-signed certificates is valid for docker > 1.8.1 via Toolbox? I place my ca in the folder /etc/docker/certs.d/domain:8080/ca.crt which points to the private registry and still not working at all, I wonder if there is any way to use the self-signed certificate without having to add the flag --insecure-registry to the configuration.

livecano commented Sep 18, 2015

Can you guys confirm if the actual workaround on the documentation Using self-signed certificates is valid for docker > 1.8.1 via Toolbox? I place my ca in the folder /etc/docker/certs.d/domain:8080/ca.crt which points to the private registry and still not working at all, I wonder if there is any way to use the self-signed certificate without having to add the flag --insecure-registry to the configuration.

@varsy

This comment has been minimized.

Show comment
Hide comment
@varsy

varsy Nov 12, 2015

I've installed Docker Toolbox on Mac instead of boot2docker and now it can't work with insecure registry. I haven't any /var/lib/boot2docker/profile file and nothing happened even when I created one with EXTRA_ARGS. Placing my ca.cert to /etc/docker/certs.d/.../ca.rt inside the VM doesn't work either.
As for me, the following workaround helped. Edit /etc/init.d/docker inside your virtualbox VM:

vars@andreysizov-mbp:~ » docker-machine ssh default
docker@default:~$ sudo vi /etc/init.d/docker

Add line:

...
test -f '/var/lib/boot2docker/profile' && . '/var/lib/boot2docker/profile'

EXTRA_ARGS="--insecure-registry docker-registry.labs.intellij.net"
...

Restart docker service:

docker@default:~$ sudo /etc/init.d/docker stop
docker@default:~$ sudo /etc/init.d/docker start

varsy commented Nov 12, 2015

I've installed Docker Toolbox on Mac instead of boot2docker and now it can't work with insecure registry. I haven't any /var/lib/boot2docker/profile file and nothing happened even when I created one with EXTRA_ARGS. Placing my ca.cert to /etc/docker/certs.d/.../ca.rt inside the VM doesn't work either.
As for me, the following workaround helped. Edit /etc/init.d/docker inside your virtualbox VM:

vars@andreysizov-mbp:~ » docker-machine ssh default
docker@default:~$ sudo vi /etc/init.d/docker

Add line:

...
test -f '/var/lib/boot2docker/profile' && . '/var/lib/boot2docker/profile'

EXTRA_ARGS="--insecure-registry docker-registry.labs.intellij.net"
...

Restart docker service:

docker@default:~$ sudo /etc/init.d/docker stop
docker@default:~$ sudo /etc/init.d/docker start
@olimsaidov

This comment has been minimized.

Show comment
Hide comment
@olimsaidov

olimsaidov commented Nov 23, 2015

@varsy, Thank you!

@Shuliyey

This comment has been minimized.

Show comment
Hide comment
@Shuliyey

Shuliyey Feb 23, 2016

as far as I know boot2docker doesn't come with any certificate import tools, so this made it a bit difficult to add ssl certificate to your certificate bundle.

But you can still do it manually.

  • make sure you have your selfsigned certificate in PEM format, usually this file has the .crt file type, copy the file to /usr/local/share/ca-certificates
sudo cp <your_crt_file> /usr/local/share/ca-certificates/
  • check again this crt file of your is in PEM format, the below command should return 1, if it is in PEM format, otherwise you should convert your crt file to PEM format.
cat /usr/local/share/ca-certificates/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l
  • (optional) you should verify that the fingerprint of this certificate does match the original certificate you created, but this step is not necessary as long as you are sure the crt file you are trying to import to the ca-bundle can be trusted
openssl x509 -noout -fingerprint -in /usr/local/share/ca-certificates/<your_crt_file>
  • create a .pem simlink in /etc/ssl/certs pointing to your original certificate location
sudo ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem
  • create a hash simlink (this hash simlink should end with .0 extension) in /etc/ssl/certs pointing to the previous .pem simlink you just created
cd /etc/ssl/certs && sudo ln -s <the_previous_pem_simlink_you_created> `openssl x509 -noout -hash -in /usr/local/share/ca-certificates/<your_crt_file>`.0
  • last step for extra assurance, append the content of your crt file to the /etc/ssl/certs/ca-certificates.crt. Please do this step carefully, it's always a good idea to back up the /etc/ssl/certs/ca-certificates.crt file, before doing this step (in case you actually overridden the file, instead of modifying it)
sudo -i -u root
cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt
exit

If you have done all the above step correctly you should get something like this (remember when you do the grep, grep for your crt file name without the file type. In my case I just grep "blue" short for "bluecoat")

infinityadmin@mep-openstack1:/etc/ssl/certs$ ls -l /etc/ssl/certs | grep blue
lrwxrwxrwx 1 root root     12 Feb  5 07:56 37b52fd1.0 -> bluecoat.pem
lrwxrwxrwx 1 root root     45 Feb  5 07:56 bluecoat.pem -> /usr/local/share/ca-certificates/bluecoat.crt

In my case
the bluecoat.crt is my crt_file, bluecoat.pem is the pem simlink file i created pointing to my bluecoat.crt. 37b52fd1.0 is the hash simlink (ending with .0 extension) I created pointing to my pem simlink.

For more information, you can read this article
http://gagravarr.org/writing/openssl-certs/others.shtml

The final thing to do to have more assurance is to restart docker daemon

sudo /etc/init.d/docker restart

But again, I would still like to address that it would be great if boot2docker can come with a certificate bundle update tool like update-ca-certificates in Ubuntu or update-ca-trust in CentOS

Shuliyey commented Feb 23, 2016

as far as I know boot2docker doesn't come with any certificate import tools, so this made it a bit difficult to add ssl certificate to your certificate bundle.

But you can still do it manually.

  • make sure you have your selfsigned certificate in PEM format, usually this file has the .crt file type, copy the file to /usr/local/share/ca-certificates
sudo cp <your_crt_file> /usr/local/share/ca-certificates/
  • check again this crt file of your is in PEM format, the below command should return 1, if it is in PEM format, otherwise you should convert your crt file to PEM format.
cat /usr/local/share/ca-certificates/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l
  • (optional) you should verify that the fingerprint of this certificate does match the original certificate you created, but this step is not necessary as long as you are sure the crt file you are trying to import to the ca-bundle can be trusted
openssl x509 -noout -fingerprint -in /usr/local/share/ca-certificates/<your_crt_file>
  • create a .pem simlink in /etc/ssl/certs pointing to your original certificate location
sudo ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem
  • create a hash simlink (this hash simlink should end with .0 extension) in /etc/ssl/certs pointing to the previous .pem simlink you just created
cd /etc/ssl/certs && sudo ln -s <the_previous_pem_simlink_you_created> `openssl x509 -noout -hash -in /usr/local/share/ca-certificates/<your_crt_file>`.0
  • last step for extra assurance, append the content of your crt file to the /etc/ssl/certs/ca-certificates.crt. Please do this step carefully, it's always a good idea to back up the /etc/ssl/certs/ca-certificates.crt file, before doing this step (in case you actually overridden the file, instead of modifying it)
sudo -i -u root
cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt
exit

If you have done all the above step correctly you should get something like this (remember when you do the grep, grep for your crt file name without the file type. In my case I just grep "blue" short for "bluecoat")

infinityadmin@mep-openstack1:/etc/ssl/certs$ ls -l /etc/ssl/certs | grep blue
lrwxrwxrwx 1 root root     12 Feb  5 07:56 37b52fd1.0 -> bluecoat.pem
lrwxrwxrwx 1 root root     45 Feb  5 07:56 bluecoat.pem -> /usr/local/share/ca-certificates/bluecoat.crt

In my case
the bluecoat.crt is my crt_file, bluecoat.pem is the pem simlink file i created pointing to my bluecoat.crt. 37b52fd1.0 is the hash simlink (ending with .0 extension) I created pointing to my pem simlink.

For more information, you can read this article
http://gagravarr.org/writing/openssl-certs/others.shtml

The final thing to do to have more assurance is to restart docker daemon

sudo /etc/init.d/docker restart

But again, I would still like to address that it would be great if boot2docker can come with a certificate bundle update tool like update-ca-certificates in Ubuntu or update-ca-trust in CentOS

@tobilarscheid

This comment has been minimized.

Show comment
Hide comment
@tobilarscheid

tobilarscheid Feb 23, 2016

Hi,

thanks for your input. This really helped a lot! Actually, this is the only working way for boot2docker.

Two additions:

Shouldn't this

ln -s /usr/local/share/ca-certificate.<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem

rather be

ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem

??

Also, in this statement:

cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificate.crt

the last part should be

cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt

tobilarscheid commented Feb 23, 2016

Hi,

thanks for your input. This really helped a lot! Actually, this is the only working way for boot2docker.

Two additions:

Shouldn't this

ln -s /usr/local/share/ca-certificate.<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem

rather be

ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem

??

Also, in this statement:

cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificate.crt

the last part should be

cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt

@Shuliyey

This comment has been minimized.

Show comment
Hide comment
@Shuliyey

Shuliyey Feb 23, 2016

thanks @tobilarscheid, you are right 😄

I've fixed the typo ;). Cheers 👍

Shuliyey commented Feb 23, 2016

thanks @tobilarscheid, you are right 😄

I've fixed the typo ;). Cheers 👍

@daagar

This comment has been minimized.

Show comment
Hide comment
@daagar

daagar Feb 25, 2016

Holy cow, that works @Shuliyey! I do still need a copy of the *.pem files to be in /var/lib/boot2docker/certs as well but otherwise that was the magic voodoo to finally hit the official docker hub from inside a MITM certificate rewrite proxy.

daagar commented Feb 25, 2016

Holy cow, that works @Shuliyey! I do still need a copy of the *.pem files to be in /var/lib/boot2docker/certs as well but otherwise that was the magic voodoo to finally hit the official docker hub from inside a MITM certificate rewrite proxy.

@Shuliyey

This comment has been minimized.

Show comment
Hide comment
@Shuliyey

Shuliyey Feb 25, 2016

thank you @daagar , glad it worked 😄 .

sorry I'm actually trying to understand the /var/lib/boot2docker/certs part, do you mean if the certificate is not in /var/lib/boot2docker/certs, you actually still won't be able to do docker pull/push (even with certificates updated in /etc/ssl/certs/)?

Interesting case, does it apply for the both the case?

  • doing a docker pull/push from a host terminal (so not in the boot2docker vm, but on the Windows/Mac host)
  • doing a docker pull/push inside the boot2docker vm

I believe the /var/lib/boot2docker repository is mainly used to provide the communication between the boot2docker guest vm and the host OS (Windows/Mac). So I'm trying to get a better understanding on how boot2docker manages its certificates verification

you can do

docker-machine ssh default

to get into the boot2docker os vm 😄

Shuliyey commented Feb 25, 2016

thank you @daagar , glad it worked 😄 .

sorry I'm actually trying to understand the /var/lib/boot2docker/certs part, do you mean if the certificate is not in /var/lib/boot2docker/certs, you actually still won't be able to do docker pull/push (even with certificates updated in /etc/ssl/certs/)?

Interesting case, does it apply for the both the case?

  • doing a docker pull/push from a host terminal (so not in the boot2docker vm, but on the Windows/Mac host)
  • doing a docker pull/push inside the boot2docker vm

I believe the /var/lib/boot2docker repository is mainly used to provide the communication between the boot2docker guest vm and the host OS (Windows/Mac). So I'm trying to get a better understanding on how boot2docker manages its certificates verification

you can do

docker-machine ssh default

to get into the boot2docker os vm 😄

@Shuliyey

This comment has been minimized.

Show comment
Hide comment
@Shuliyey

Shuliyey Feb 26, 2016

thanks @mickep76 +1 👍

the changes that's made to boot2docker / partition drive will be overwritten everytime docker-machine is restarted. So the /var/lib/boot2docker/bootlocal.sh is useful in this case to keep your changes.

  • create the /var/lib/boot2docker/bootlocal.sh file and set the execution permission correctly
sudo touch /var/lib/boot2docker/bootlocal.sh && sudo chmod +x /var/lib/boot2docker/bootlocal.sh
  • put your self-signed crt file at /var/lib/boot2docker/certs/, this path can actually be any path, that can keep its files saved (instead of overwritten on docker-machine restart ). E.g. /home/docker/ can also be a good choice
sudo mkdir /var/lib/boot2docker/certs
mv <your_crt_file> /var/lib/boot2docker/certs/
  • add the changes to be made into /var/lib/boot2docker/bootlocal.sh, (In this case, we're adding the certificate to /etc/docker/certs.d/<docker_registry_url>)
mkdir -p /etc/docker/certs.d/<your_docker_registry_url> && cp <your_crt_file_location> /etc/docker/certs.d/<your_docker_registry_url>/
  • restart docker-machine
# If terminal is actually the docker-machine VM terminal
sudo reboot
# if terminal is started using docker quick start terminal
docker-machine restart <machine_name>

Note: In my case this is my contents in /var/lib/boot2docker/bootlocal.sh

mkdir -p /etc/docker/certs.d/registry.mev-rancher.dev.tech.local && cp /var/lib/boot2docker/certs/radiance.crt /etc/docker/certs.d/registry.mev-rancher.dev.tech.local/

Shuliyey commented Feb 26, 2016

thanks @mickep76 +1 👍

the changes that's made to boot2docker / partition drive will be overwritten everytime docker-machine is restarted. So the /var/lib/boot2docker/bootlocal.sh is useful in this case to keep your changes.

  • create the /var/lib/boot2docker/bootlocal.sh file and set the execution permission correctly
sudo touch /var/lib/boot2docker/bootlocal.sh && sudo chmod +x /var/lib/boot2docker/bootlocal.sh
  • put your self-signed crt file at /var/lib/boot2docker/certs/, this path can actually be any path, that can keep its files saved (instead of overwritten on docker-machine restart ). E.g. /home/docker/ can also be a good choice
sudo mkdir /var/lib/boot2docker/certs
mv <your_crt_file> /var/lib/boot2docker/certs/
  • add the changes to be made into /var/lib/boot2docker/bootlocal.sh, (In this case, we're adding the certificate to /etc/docker/certs.d/<docker_registry_url>)
mkdir -p /etc/docker/certs.d/<your_docker_registry_url> && cp <your_crt_file_location> /etc/docker/certs.d/<your_docker_registry_url>/
  • restart docker-machine
# If terminal is actually the docker-machine VM terminal
sudo reboot
# if terminal is started using docker quick start terminal
docker-machine restart <machine_name>

Note: In my case this is my contents in /var/lib/boot2docker/bootlocal.sh

mkdir -p /etc/docker/certs.d/registry.mev-rancher.dev.tech.local && cp /var/lib/boot2docker/certs/radiance.crt /etc/docker/certs.d/registry.mev-rancher.dev.tech.local/
@kumlali

This comment has been minimized.

Show comment
Hide comment
@kumlali

kumlali Feb 26, 2016

Thanks @Shuliyey. In my environment(Docker Toolbox 1.9.1i & Windows 7), copying certificate files to /var/lib/boot2docker/certs is enough. I do not need to create /etc/docker/certs.d/<your_docker_registry_url> and copy files to it.

@ALL
After I spent significant time to make Docker Toolbox on Windows behind proxy to work, I decided to create a small project to help others: https://github.com/kumlali/windocker.

Hope you'll find it usefull.

kumlali commented Feb 26, 2016

Thanks @Shuliyey. In my environment(Docker Toolbox 1.9.1i & Windows 7), copying certificate files to /var/lib/boot2docker/certs is enough. I do not need to create /etc/docker/certs.d/<your_docker_registry_url> and copy files to it.

@ALL
After I spent significant time to make Docker Toolbox on Windows behind proxy to work, I decided to create a small project to help others: https://github.com/kumlali/windocker.

Hope you'll find it usefull.

@Shuliyey

This comment has been minimized.

Show comment
Hide comment
@Shuliyey

Shuliyey Feb 28, 2016

@kumlali nice, would be great also to integrate this into kitematic. If we can configure the proxy and ssl settings inside the kinematic gui (like in the settings page), would make proxy and certificate configuration much easier.

Shuliyey commented Feb 28, 2016

@kumlali nice, would be great also to integrate this into kitematic. If we can configure the proxy and ssl settings inside the kinematic gui (like in the settings page), would make proxy and certificate configuration much easier.

@so0k

This comment has been minimized.

Show comment
Hide comment
@so0k

so0k Mar 16, 2016

ok, so since Boot2Docker 1.6 any certs you place in /var/lib/boot2docker/certs are automatically loaded for you - cool

see: https://github.com/boot2docker/boot2docker/pull/807/files

so0k commented Mar 16, 2016

ok, so since Boot2Docker 1.6 any certs you place in /var/lib/boot2docker/certs are automatically loaded for you - cool

see: https://github.com/boot2docker/boot2docker/pull/807/files

@nicklozon

This comment has been minimized.

Show comment
Hide comment
@nicklozon

nicklozon Apr 1, 2016

@Shuliyey thanks for this. My company performs a man in the middle attack, so I had to export the cert from windows certificate manager, copy it into my vm and use openssl to convert it from DER to PEM format with a .crt extension, then followed your instructions.

nicklozon commented Apr 1, 2016

@Shuliyey thanks for this. My company performs a man in the middle attack, so I had to export the cert from windows certificate manager, copy it into my vm and use openssl to convert it from DER to PEM format with a .crt extension, then followed your instructions.

@gotgenes

This comment has been minimized.

Show comment
Hide comment
@gotgenes

gotgenes May 31, 2016

Contributor

ok, so since Boot2Docker 1.6 any certs you place in /var/lib/boot2docker/certs are automatically loaded for you - cool

see: https://github.com/boot2docker/boot2docker/pull/807/files

If you're arriving here from Google, the above is the proper solution to, "How do I use self-signed certificates when using boot2docker?"

Note, though, at the moment, only certificates that end with .pem will be processed. (I have submitted PR #1167 that would also process certificates ending in .crt per the Docker self-signed certificate instructions.) If you place your certificate in /var/lib/boot2docker/certs/ but it doesn't work, make sure it's in PEM format, and make sure the file name ends with ".pem".

Contributor

gotgenes commented May 31, 2016

ok, so since Boot2Docker 1.6 any certs you place in /var/lib/boot2docker/certs are automatically loaded for you - cool

see: https://github.com/boot2docker/boot2docker/pull/807/files

If you're arriving here from Google, the above is the proper solution to, "How do I use self-signed certificates when using boot2docker?"

Note, though, at the moment, only certificates that end with .pem will be processed. (I have submitted PR #1167 that would also process certificates ending in .crt per the Docker self-signed certificate instructions.) If you place your certificate in /var/lib/boot2docker/certs/ but it doesn't work, make sure it's in PEM format, and make sure the file name ends with ".pem".

@magnayn

This comment has been minimized.

Show comment
Hide comment
@magnayn

magnayn Jun 16, 2016

I've followed the self-signed cert instructions, used the certificate in an nginx proxy, added the cert in /var/lib/boot2docker/certs (actually in my boot2docker 1.11.2, that directory did not exist) and I still get

x509: certificate signed by unknown authority

magnayn commented Jun 16, 2016

I've followed the self-signed cert instructions, used the certificate in an nginx proxy, added the cert in /var/lib/boot2docker/certs (actually in my boot2docker 1.11.2, that directory did not exist) and I still get

x509: certificate signed by unknown authority

@gotgenes

This comment has been minimized.

Show comment
Hide comment
@gotgenes

gotgenes Jun 16, 2016

Contributor

@magnayn Did you reboot your boot2docker instance after adding your certificates to /var/lib/boot2docker/certs? boot2docker will not process the certificates until a reboot takes place. In my case, I issued

docker-machine reboot <boot2docker_instance>

Also, yes, by default there is no certs directory in /var/lib/boot2docker; I had to create it, too.

Contributor

gotgenes commented Jun 16, 2016

@magnayn Did you reboot your boot2docker instance after adding your certificates to /var/lib/boot2docker/certs? boot2docker will not process the certificates until a reboot takes place. In my case, I issued

docker-machine reboot <boot2docker_instance>

Also, yes, by default there is no certs directory in /var/lib/boot2docker; I had to create it, too.

@magnayn

This comment has been minimized.

Show comment
Hide comment
@magnayn

magnayn Jun 16, 2016

Good to know that the need to create the certs directory is normal.

Yes, I rebooted the docker-machine. curl is perfectly happy if I tell it
about the cert on the commandline.

On Thu, Jun 16, 2016 at 4:54 PM, Chris Lasher notifications@github.com
wrote:

@magnayn https://github.com/magnayn Did you reboot your boot2docker
instance after adding your certificates to /var/lib/boot2docker/certs?
boot2docker will not process the certificates until a reboot takes place.
In my case, I issued

docker-machine reboot <boot2docker_instance>

Also, yes, by default there is no certs directory in /var/lib/boot2docker;
I had to create it, too.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#347 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AADRlVDJ37q4NinzftBo5FLr6GOpckp7ks5qMXG9gaJpZM4B5f7W
.

magnayn commented Jun 16, 2016

Good to know that the need to create the certs directory is normal.

Yes, I rebooted the docker-machine. curl is perfectly happy if I tell it
about the cert on the commandline.

On Thu, Jun 16, 2016 at 4:54 PM, Chris Lasher notifications@github.com
wrote:

@magnayn https://github.com/magnayn Did you reboot your boot2docker
instance after adding your certificates to /var/lib/boot2docker/certs?
boot2docker will not process the certificates until a reboot takes place.
In my case, I issued

docker-machine reboot <boot2docker_instance>

Also, yes, by default there is no certs directory in /var/lib/boot2docker;
I had to create it, too.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#347 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AADRlVDJ37q4NinzftBo5FLr6GOpckp7ks5qMXG9gaJpZM4B5f7W
.

@so0k

This comment has been minimized.

Show comment
Hide comment
@so0k

so0k Jun 16, 2016

Could you try these instructions? http://docker-saigon.github.io/post/Private-Registry-Setup/ it includes adding trust for self signed CA

so0k commented Jun 16, 2016

Could you try these instructions? http://docker-saigon.github.io/post/Private-Registry-Setup/ it includes adding trust for self signed CA

@Shuliyey

This comment has been minimized.

Show comment
Hide comment
@Shuliyey

Shuliyey Jun 18, 2016

@magnayn interesting the boot2docker 1.11 version of docker should work if the certificate is placed in the /var/lib/boot2docker/certs
did you put the public certificate (which is not the private key) in the /var/lib/boot2docker/certs

if you could do the below and verify your certificate (which you put under /var/lib/boot2docker/certs)

cat /var/lib/boot2docker/certs/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l # this should return 1

😄

Shuliyey commented Jun 18, 2016

@magnayn interesting the boot2docker 1.11 version of docker should work if the certificate is placed in the /var/lib/boot2docker/certs
did you put the public certificate (which is not the private key) in the /var/lib/boot2docker/certs

if you could do the below and verify your certificate (which you put under /var/lib/boot2docker/certs)

cat /var/lib/boot2docker/certs/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l # this should return 1

😄

@softwarevamp

This comment has been minimized.

Show comment
Hide comment
@softwarevamp

softwarevamp Jun 18, 2017

container host does trust the certificate but the not the container itself
when i run ruby got below:

Fetching source index from https://rubygems.org/

Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

the container SHOULD trust it also.

softwarevamp commented Jun 18, 2017

container host does trust the certificate but the not the container itself
when i run ruby got below:

Fetching source index from https://rubygems.org/

Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

the container SHOULD trust it also.

@so0k

This comment has been minimized.

Show comment
Hide comment
@so0k

so0k Jun 18, 2017

@softwarevamp - for containers to trust ca's from the host, mount the host certs dir and run update-certificates before starting the process in the container?

so0k commented Jun 18, 2017

@softwarevamp - for containers to trust ca's from the host, mount the host certs dir and run update-certificates before starting the process in the container?

@MetinSolmaz

This comment has been minimized.

Show comment
Hide comment
@MetinSolmaz

MetinSolmaz May 3, 2018

In Boot2Docker (version 17.10.0-ce), for me it only worked when the certificate was called 'ca.crt' in a folder with hostname for which the certificate was used.

So copy the certificate as follows:
/var/lib/boot2docker/etc/docker/certs.d//ca.crt

MetinSolmaz commented May 3, 2018

In Boot2Docker (version 17.10.0-ce), for me it only worked when the certificate was called 'ca.crt' in a folder with hostname for which the certificate was used.

So copy the certificate as follows:
/var/lib/boot2docker/etc/docker/certs.d//ca.crt

@leonardochaia

This comment has been minimized.

Show comment
Hide comment
@leonardochaia

leonardochaia Jul 5, 2018

In Boot2Docker 18.05.0-ce using self-signed certificates it seems to be enough by copying the ca.crt and cert.pem to /etc/docker/certs.d/{hostname} in a bootsync.sh script.

Boot2Docker version 18.05.0-ce, build HEAD : b5d6989 - Thu May 10 16:35:28 UTC 2018 Docker version 18.05.0-ce, build f150324

leonardochaia commented Jul 5, 2018

In Boot2Docker 18.05.0-ce using self-signed certificates it seems to be enough by copying the ca.crt and cert.pem to /etc/docker/certs.d/{hostname} in a bootsync.sh script.

Boot2Docker version 18.05.0-ce, build HEAD : b5d6989 - Thu May 10 16:35:28 UTC 2018 Docker version 18.05.0-ce, build f150324

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment