Documentation: How to add a self-signed certificate #347

Closed
kennu opened this Issue May 9, 2014 · 65 comments

Projects

None yet
@kennu
kennu commented May 9, 2014

I'm trying to use a private Docker image registry with a self-signed certificate. But I can't find documentation how to add the self-signed certificate to boot2docker, so that the Docker client would accept it.

@SvenDowideit
Member

oh wow. I've not gone there myself, so it needs someone to spend some time nutting out the details :/

@steeve
Contributor
steeve commented May 12, 2014

I think you might need to rebuild the image with your certificate in it.

@kennu
kennu commented May 12, 2014

I can see a bunch of preinstalled certificates in /usr/local/etc/ssl/certs/, but I just can't figure out how to add my own. I think in Ubuntu/Debian, one would copy it there and run "update-ca-certificates". Perhaps that command could be added to boot2docker?

@steeve
Contributor
steeve commented May 12, 2014

The certificates are installed when unpacking the openssl.tcz TCL package.

In any case, you'll need to execute these on your own Dockerfile, the ISO rootfs is in $ROOTFS:

FROM boot2docker/boot2docker

RUN <whatever>
ADD mycertif $ROOTFS/....

RUN /make_iso.sh
CMD ["cat", "boot2docker.iso"]
@SvenDowideit
Member

OR, you can use your persistence partition and add the data and scripts to /var/lib/boot2docker and call the script from a /var/lib/boot2docker/bootlocal.sh which you create.

@kfish
kfish commented Jul 10, 2014

To add mycert.pem (exported from your keychain on osx-host) to a running boot2docker, copy it over, symlink it and symlink its hash:

osx-host$ boot2docker ssh
# Picture of a whale
docker@boot2docker:~$ scp username@osx-host:Documents/mycert.pem /tmp
docker@boot2docker:~$ sudo -s
root@boot2docker:~$ mv /tmp/mycert.pem /usr/local/share/ca-certificates
root@boot2docker:~$ cd /etc/ssl/certs
root@boot2docker:/etc/ssl/certs$ ln -s /usr/local/share/ca-certificates/mycert.pem .
root@boot2docker:/etc/ssl/certs$ openssl x509 -hash -in mycert.pem
# This will output an 8 hex digit hash hhhhhhhh
docker@boot2docker:/etc/ssl/certs$ ln -s mycert.pem hhhhhhhh.0

I found this out by examining the c_rehash script, which update-ca-certificates would run if it and perl existed on boot2docker.

@SvenDowideit
Member

docker/docker#6890

I hope to be adding code to the boot2docker iso to generate the cert, and then export it to host system.

@btrepp
btrepp commented Sep 8, 2014

@kfish I also had to append the cert to /etc/ssl/certs/ca-certificates.crt

Though boot2docker uses tce, so I'm not sure if this will disappear if the machine is rebooted?.

I'm using docker as a provider in vagrant.

@magnusart

Have the documentation been resolved yet?

I tried the instructions above in the boo2docker VM. But I only get an empty error when trying to do docker login:

2014/10/25 22:52:50 Error response from daemon:

boot2docker version information

Boot2Docker-cli version: v1.3.0
Git commit: deafc19
@virtuald
virtuald commented Nov 4, 2014

It would be good to make this process significantly easier than it currently is, since as of 1.3.1 docker no longer allows connections to non-SSL registries. We need an easy way to deposit the certificate in a place that will persist, otherwise we will need to copy the cert each time we boot2docker up.

@SvenDowideit
Member

@virtuald the boot2docker cli tool does all this for you automatically when you run boot2docker up

the certificates are auto-generated during vm bootup, and then are copied to the right place - and $(boot2docker shellinit) will set the 3 environment variables you need for the Docker client to just work.

and so I'm going to close this PR - i think its adding confusioin about manual steps you don't do anymore

@btrepp
btrepp commented Nov 5, 2014

How does boot2docker know what certificates to use?. I thought this was about specifying custom certificates?.

Is there a folder/place we need to put them to have boot2docker cli's grab them and place them in the vm?

@virtuald
virtuald commented Nov 5, 2014

@SvenDowideit No, please open this ticket again. The certificates that boot2docker generates as of 1.3.x for the user is for connecting to the docker daemon, not a private docker registry with custom certificates.

@tianon tianon reopened this Nov 5, 2014
@tianon
Contributor
tianon commented Nov 5, 2014

Indeed, this issue is about the other certificates. 👍

@virtuald
virtuald commented Nov 5, 2014

I realize this issue is about 'documentation', but the current process of adding a registry cert is annoying at best. I would recommend adding yet another boot2docker command (maybe addregistrycert) that copies the certificate to the right place on the permanent storage, and at boot time the iso copies all the certs to /etc/docker/certs.d/. For example, I'm using the following script in bootlocal.sh:

#!/bin/sh
sudo cp -r /var/lib/boot2docker/etc/docker /etc
@SvenDowideit
Member

@virtuald nice suggestion - wanna make a PR? :)

(and ug - sorry, i was trying to doo to much at once obviously)

@virtuald
virtuald commented Nov 6, 2014

My go-fu is a bit weaker than I would like, and I have about 3 other projects that I'm behind on. However, should be easy enough for someone familiar with the codebase to do. ;)

@metcalfc
Contributor

I see at least 3 approaches in this issue. I'm happy to do the work but which of them is the best practice?

  1. append the cert to /etc/ssl/certs/ca-certificates.crt
  2. do the hash magic that update-ca-certificates would do
  3. copies all the certs to /etc/docker/certs.d/
@virtuald

I like option 3.

@thaJeztah

+1 on option 3

@aseppala

+1 on option 3

@pohl
pohl commented Dec 19, 2014

I'm having an issue that may be related, but I'm not sure: I work for an organization that has a certificate-rewriting proxy and it is getting in the way with my attempts to even use the public registry at Docker Hub. I am just learning Docker, so I'm curious whether the steps outlined in this PR discussion would also apply to my situation.

http://stackoverflow.com/questions/27536180/docker-on-mac-behind-proxy-that-changes-ssl-certificate

@SvenDowideit
Member

+1 on option 3 :)

@pohl oh gads, basically, you're in an organisation that's attacking you. I would probably make a docker container that runs some kind of vpn like proxy (i'm thinking ssh) to talk to my own host out there on the internet. and then have the Docker daemon talk to that proxy container. (using --insecure-registry

@btrepp
btrepp commented Dec 22, 2014

I'm in the same situation, it basically involved manually putting the certificates in boot2dockers VM, not exactly elegant.

Runninga VPN/ssh is most likely difficult in corporate land too, machines can only get to the internet through the proxies (that MITM ssl). So you can't exactly punch out via port 22 :S

@SvenDowideit
Member

/me is evil and runs an ssh daemon on port 80.

@btrepp
btrepp commented Dec 23, 2014

Even still, it has to go through a corporate proxy. So you are either muxing ssh over http (this sounds horrible!), or you have a special ssh server that works with CONNECT https calls.

That technique may also draw the ire of the enterprisey security guys that are trying to MITM you anyway. My usually approach is make my apps use the corporate certs, If they want to inspect a whole bunch of binary data they are free to do it :)

I imagine there is a way to get bootlocal to install the certs, but atm I'm personally having 0 success with having bootlocal.sh even run.

@SvenDowideit
Member

oh? ok, then we need to work that out. The only persistent place on your b2d, is /var/lib/boot2docker - a script called /var/lib/boot2docker/bootlocal.sh (and it can't be a bash script) will run at startup - though after the docker daemon has started, so you'll probably need to restart that...

@btrepp
btrepp commented Dec 23, 2014

I have managed to get it working with bootlocal.sh :) This is obviously dependant on my setup here (Im using fiddler2 to operate as an open proxy for local apps on my machine, and it is resigning the connection again). So if you are on windows and have a corporate proxy this should help you

> cat /var/lib/boot2docker/bootlocal.sh
#!/bin/sh

curl -s --resolve localhost:8888:10.0.2.2 http://localhost:8888/FiddlerRoot.cer | openssl x509 -inform der -outform pem -out /etc/ssl/certs/fiddler.pem
ln -s /etc/ssl/certs/fiddler.pem /etc/ssl/certs/`openssl x509 -hash -in /etc/ssl/certs/fiddler.pem -noout 2>/dev/null`.0
echo /etc/ssl/certs/fiddler.pem >> /etc/ssl/certs/ca-certificates.crt

echo "export http_proxy=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export https_proxy=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export HTTP_PROXY=http://10.0.2.2:8888" >> /home/docker/.ashrc
echo "export HTTPS_PROXY=http://10.0.2.2:8888" >> /home/docker/.ashrc

It basically grabs the certificate from fiddler, runs it through openssl to be in openssl format and puts it where it needs to be. Then I set the proxy as needed.
I'm not 100% sure if the docker daemon would need to be restarted, and obviously it needs the profile persistance file setup to use the proxy too, but this should be workable with updates etc going forward.

@SvenDowideit SvenDowideit added this to the v1.5.0 milestone Dec 27, 2014
@spencerkohan

I ended up using bootlocal.sh as well - it was pretty easy to just symlink to certs.d from a local directory with the expected structure:

#!/bin/sh

mkdir /etc/docker
ln -s /path/to/certs/dir /etc/docker/certs.d

The certificates just have to be somewhere accessible from inside the VM.

@hairyhenderson

Just wanted to add my experience since it took me so long to figure this out ;)

I decided to follow @steeve's advice and put my certs right in the image. @kfish's followup was also useful, except it took me a head-scratching hour to figure out why this wasn't working in the Dockerfile.

The problem was that /etc/ssl/certs/ca-certificates.crt gets overwritten at boot time, so I added a command to the /etc/init.d/rcS script.

Here's what I ended up with:

FROM boot2docker/boot2docker

RUN mkdir -p $ROOTFS/usr/local/share/ca-certificates/foo.com
COPY foo.crt $ROOTFS/usr/local/share/ca-certificates/foo.com
RUN mkdir -p $ROOTFS/usr/local/etc/ssl/certs && \
  cd $ROOTFS/usr/local/etc/ssl/certs && \
  ln -s /usr/local/share/ca-certificates/foo.com/foo.crt foo.crt && \
  export hash=`openssl x509 -hash -in $ROOTFS/usr/local/share/ca-certificates/foo.com/foo.crt | head -n1` && \
  ln -s foo.crt $hash.0 && \
  echo "cat /usr/local/share/ca-certificates/foo.com/foo.crt >> /usr/local/etc/ssl/certs/ca-certificates.crt" >> $ROOTFS/etc/init.d/rcS

RUN /make_iso.sh
CMD ["cat", "boot2docker.iso"]
@irgeek
irgeek commented Jan 22, 2015

I had to solve this for a second time today as I restarted the VM without realising the way I did it last time wouldn't be persisted. So I created /var/lib/boot2docker/certs/, chucked all of the private certs I need in there and added created /var/lib/boot2docker/bootlocal.sh to install them. Gisted for everyone's downloading pleasure: https://gist.github.com/irgeek/afb2e05775fff532f960

Some notes about the certs in the /var/lib/boot2docker/certs/ directory:

  • They need to be PEM formatted
  • If you're behind a corporate MITM proxy, you should to add all the certificates in the chain.
  • One cert per file. If you've been given a chain file, just split out the individual certs. Naming the files based on subject makes figuring out what's there so much easier too. For the lazy, the following commands will split a chain file into individual files and rename them based on the certificate subject:
mkdir certs
split -p BEGIN ${CHAIN_FILE} chain-cert-
for i in chain-cert-*; do mv $i certs/$(openssl x509 -noout -subject -in $i | grep -o "CN=.*" | cut -c4- | tr " /" "_"); done
@kolis
kolis commented Feb 5, 2015

@irgeek Thank you, this setup works for me!
Before this I tried adding EXTRA_ARGS="--insecure-registry my.registry.domain:port"
to /var/lib/boot2docker/profile but this only solves half the problem, I still get the
x509: certificate signed by unknown authority response.

@hordemark

@irgeek +1, works for me

@rickli1989

@irgeek +1, works for me

@mickep76

I got it working in a similar manner:

boot2docker ssh
sudo tee /var/lib/boot2docker/bootlocal.sh << EOF >/dev/null
#!/bin/sh
curl http://<myserver>/ca.crt >>/etc/ssl/certs/ca-certificates.crt
EOF
sudo chmod +x /var/lib/boot2docker/bootlocal.sh
exit
boot2docker restart
@kevinsimper

My files is not copied into boot2docker? Anybody know why? Or is there something else you have to do yo make @irgeek solution work?

@jacoelho
jacoelho commented Apr 2, 2015

Couldn't we use a container for this?
docker run -v /etc/ssl/certs/:/etc/ssl/certs/ -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates ubuntu

add certificates and run all the needed commands

this should work (not tested yet)

@0xE282B0
0xE282B0 commented Apr 2, 2015

@jacoelho great approach, thanks! Sometimes the simplest solutions are the best.

@roma86
roma86 commented Apr 3, 2015

Add my two cents worth. Connect docker to private registry unexpected hard procedure.
I have installed official docker-registry under nginx ssl proxy with basic auth.
Testing connection to this registry from my mac:

# port 80 redirect to 301 as setup
$ curl cwt-registry.com
<head><title>301 Moved Permanently</title></head>
# wrong auth password
$ curl --user kdocker:'**' --cacert ~/Downloads/ca.pem  https://cwt-registry.com
<head><title>401 Authorization Required</title></head>
# correct user/login
$ curl --user kdocker:'*****' --cacert ~/Downloads/ca.pem  https://cwt-registry.com
"\"docker-registry server\""
# v1/_ping also works
$ curl --user kdocker:'Ju3ke*3h499(sdj0)sd5e2' --cacert ~/Downloads/ca.pem  https://cwt-registry.com/v1/_ping
"{}"

I used the methods described @mickep76 and @irgeek

But every time get same error:

$ docker login cwt-registry.com

"Error response from daemon: v1 ping attempt failed with error: Get https://cwt-registry.com/v1/_ping ...
simply place the CA certificate at /etc/docker/certs.d/cwt-registry.com/ca.crt"

Follow this message i try this

docker@boot2docker:~$ sudo vi /var/lib/boot2docker/bootlocal.sh
sudo mkdir -p "/etc/docker/certs.d/cwt-registry.com"
sudo cp "/var/lib/boot2docker/certs/ca.pem" "/etc/docker/certs.d/cwt-registry.com/ca.crt"
exit

$ boot2docker restart
$ boot2docker ssh

docker@boot2docker:~$ sudo ls /etc/docker/certs.d/cwt-registry.com/
ca.crt

Finally same result.

I can not understand why is so hard.

I am sorry, @jacoelho can you explain you method of resolve this issue. I can run ubuntu container in way that you describe, but how it should help connect to private registry?

@tlightsky

@mickep76 +1,works well for me

@lily93
lily93 commented Jun 16, 2015

in my case nothing is working - i am using boot2docker under windows..
i added the certificate in /etc/docker/certs.d// and in /usr/share/local/ca-certificates as .crt
and also in /etc/ssl/certs as .pem file

i also copied the .pem into .boot2docker/certs/boot2docker-vm..

restarted everything and still cannot login... via firefox i can ping the registry and in ubuntu everything works fine :/

please help!!!

@mkozjak
mkozjak commented Jul 7, 2015

@mickep76 +1, thanks!!

@adampats

👍

@flychen50

@mickep76 thank you,+1

@daagar
daagar commented Aug 19, 2015

The solution presented by @irgeek above worked fine for docker 1.7.1/boot2docker - however, it seems to no longer be sufficient for Docker 1.8.1b via a Toolbox installation.

I've added the needed cert to /var/lib/boot2docker/certs, and created the necessary bootlocal.sh script. This does allow 'docker pull' to get past the x509 error. However, the pull itself still fails (from the client, with a 'Can't reach any registry endpoint'). The following shows the relevant excerpt form docker.log. Note that once outside of the company network on the same installation, a 'docker pull' works fine. I'm commenting here as I still believe it is something going wonky with the certs, but I can open this as a new issue if that's not the case.

time="2015-08-19T14:13:25.025194341Z" level=debug msg="Calling POST /images/crea
te"
time="2015-08-19T14:13:25.025268176Z" level=info msg="POST /v1.20/images/create?
fromImage=hello-world%3Alatest"
time="2015-08-19T14:13:25.025758796Z" level=debug msg="Trying to pull hello-worl
d from https://registry-1.docker.io v2"
time="2015-08-19T14:13:25.576184346Z" level=debug msg="Fetched 1 base graphs at
2015-08-19 14:13:25.57615336 +0000 UTC"
time="2015-08-19T14:13:25.584767097Z" level=debug msg="Reloaded graph with 3 gra
nts expiring at 2017-03-22 19:04:46.713978458 +0000 UTC"
time="2015-08-19T14:13:26.397998709Z" level=debug msg="Pulling tag from V2 regis
try: \"latest\""
time="2015-08-19T14:13:27.414716213Z" level=debug msg="v2 error: errcode.Error u
nauthorized: access to the requested resource is not authorized"
time="2015-08-19T14:13:27.415026858Z" level=debug msg="Error trying v2 registry:
 unauthorized: access to the requested resource is not authorized"
time="2015-08-19T14:13:27.415058513Z" level=debug msg="Trying to pull hello-worl
d from https://index.docker.io v1"
time="2015-08-19T14:13:27.483446594Z" level=debug msg="Fetched 1 base graphs at
2015-08-19 14:13:27.483413884 +0000 UTC"
time="2015-08-19T14:13:27.483511319Z" level=debug msg="hostDir: /etc/docker/cert
s.d/docker.io"
time="2015-08-19T14:13:27.484138172Z" level=debug msg="[registry] Calling GET ht
tps://index.docker.io/v1/repositories/library/hello-world/images"
time="2015-08-19T14:13:27.495658509Z" level=debug msg="Reloaded graph with 3 gra
nts expiring at 2017-03-22 19:04:46.713978458 +0000 UTC"
time="2015-08-19T14:13:29.542515521Z" level=debug msg="Retrieving the tag list"

time="2015-08-19T14:13:29.967607311Z" level=debug msg="Got status code 401 from
https://registry-1.docker.io/v1/repositories/library/hello-world/tags/latest"
time="2015-08-19T14:13:29.967762474Z" level=error msg="unable to get remote tags
: Could not reach any registry endpoint"
time="2015-08-19T14:13:29.968026579Z" level=debug msg="Not continuing with error
: Could not reach any registry endpoint"
@smalltown

Just like @daagar said, I cannot workaround by the same method neither, when Docker version high than 1.8.1 via a Toolbox installation, the only thing I can do is to add EXTRA_ARGS="--insecure-registry https://#{Host Name}:#{Port Number}" parameter in the /var/lib/boot2docker/profile, and using docker-machine to restart the boot2docker, then I can use docker login feature...

@livecano

Can you guys confirm if the actual workaround on the documentation Using self-signed certificates is valid for docker > 1.8.1 via Toolbox? I place my ca in the folder /etc/docker/certs.d/domain:8080/ca.crt which points to the private registry and still not working at all, I wonder if there is any way to use the self-signed certificate without having to add the flag --insecure-registry to the configuration.

@varsy
varsy commented Nov 12, 2015

I've installed Docker Toolbox on Mac instead of boot2docker and now it can't work with insecure registry. I haven't any /var/lib/boot2docker/profile file and nothing happened even when I created one with EXTRA_ARGS. Placing my ca.cert to /etc/docker/certs.d/.../ca.rt inside the VM doesn't work either.
As for me, the following workaround helped. Edit /etc/init.d/docker inside your virtualbox VM:

vars@andreysizov-mbp:~ » docker-machine ssh default
docker@default:~$ sudo vi /etc/init.d/docker

Add line:

...
test -f '/var/lib/boot2docker/profile' && . '/var/lib/boot2docker/profile'

EXTRA_ARGS="--insecure-registry docker-registry.labs.intellij.net"
...

Restart docker service:

docker@default:~$ sudo /etc/init.d/docker stop
docker@default:~$ sudo /etc/init.d/docker start
@olimsaidov

@varsy, Thank you!

@Shuliyey

as far as I know boot2docker doesn't come with any certificate import tools, so this made it a bit difficult to add ssl certificate to your certificate bundle.

But you can still do it manually.

  • make sure you have your selfsigned certificate in PEM format, usually this file has the .crt file type, copy the file to /usr/local/share/ca-certificates
sudo cp <your_crt_file> /usr/local/share/ca-certificates/
  • check again this crt file of your is in PEM format, the below command should return 1, if it is in PEM format, otherwise you should convert your crt file to PEM format.
cat /usr/local/share/ca-certificates/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l
  • (optional) you should verify that the fingerprint of this certificate does match the original certificate you created, but this step is not necessary as long as you are sure the crt file you are trying to import to the ca-bundle can be trusted
openssl x509 -noout -fingerprint -in /usr/local/share/ca-certificates/<your_crt_file>
  • create a .pem simlink in /etc/ssl/certs pointing to your original certificate location
sudo ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem
  • create a hash simlink (this hash simlink should end with .0 extension) in /etc/ssl/certs pointing to the previous .pem simlink you just created
cd /etc/ssl/certs && sudo ln -s <the_previous_pem_simlink_you_created> `openssl x509 -noout -hash -in /usr/local/share/ca-certificates/<your_crt_file>`.0
  • last step for extra assurance, append the content of your crt file to the /etc/ssl/certs/ca-certificates.crt. Please do this step carefully, it's always a good idea to back up the /etc/ssl/certs/ca-certificates.crt file, before doing this step (in case you actually overridden the file, instead of modifying it)
sudo -i -u root
cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt
exit

If you have done all the above step correctly you should get something like this (remember when you do the grep, grep for your crt file name without the file type. In my case I just grep "blue" short for "bluecoat")

infinityadmin@mep-openstack1:/etc/ssl/certs$ ls -l /etc/ssl/certs | grep blue
lrwxrwxrwx 1 root root     12 Feb  5 07:56 37b52fd1.0 -> bluecoat.pem
lrwxrwxrwx 1 root root     45 Feb  5 07:56 bluecoat.pem -> /usr/local/share/ca-certificates/bluecoat.crt

In my case
the bluecoat.crt is my crt_file, bluecoat.pem is the pem simlink file i created pointing to my bluecoat.crt. 37b52fd1.0 is the hash simlink (ending with .0 extension) I created pointing to my pem simlink.

For more information, you can read this article
http://gagravarr.org/writing/openssl-certs/others.shtml

The final thing to do to have more assurance is to restart docker daemon

sudo /etc/init.d/docker restart

But again, I would still like to address that it would be great if boot2docker can come with a certificate bundle update tool like update-ca-certificates in Ubuntu or update-ca-trust in CentOS

@tobilarscheid

Hi,

thanks for your input. This really helped a lot! Actually, this is the only working way for boot2docker.

Two additions:

Shouldn't this

ln -s /usr/local/share/ca-certificate.<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem

rather be

ln -s /usr/local/share/ca-certificates/<your_crt_file> /etc/ssl/certs/<your_crt_file_name_without_the_file_type>.pem

??

Also, in this statement:

cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificate.crt

the last part should be

cat /usr/local/share/ca-certificates/<your_crt_file> >> /etc/ssl/certs/ca-certificates.crt

@Shuliyey

thanks @tobilarscheid, you are right 😄

I've fixed the typo ;). Cheers 👍

@daagar
daagar commented Feb 25, 2016

Holy cow, that works @Shuliyey! I do still need a copy of the *.pem files to be in /var/lib/boot2docker/certs as well but otherwise that was the magic voodoo to finally hit the official docker hub from inside a MITM certificate rewrite proxy.

@Shuliyey

thank you @daagar , glad it worked 😄 .

sorry I'm actually trying to understand the /var/lib/boot2docker/certs part, do you mean if the certificate is not in /var/lib/boot2docker/certs, you actually still won't be able to do docker pull/push (even with certificates updated in /etc/ssl/certs/)?

Interesting case, does it apply for the both the case?

  • doing a docker pull/push from a host terminal (so not in the boot2docker vm, but on the Windows/Mac host)
  • doing a docker pull/push inside the boot2docker vm

I believe the /var/lib/boot2docker repository is mainly used to provide the communication between the boot2docker guest vm and the host OS (Windows/Mac). So I'm trying to get a better understanding on how boot2docker manages its certificates verification

you can do

docker-machine ssh default

to get into the boot2docker os vm 😄

@Shuliyey

thanks @mickep76 +1 👍

the changes that's made to boot2docker / partition drive will be overwritten everytime docker-machine is restarted. So the /var/lib/boot2docker/bootlocal.sh is useful in this case to keep your changes.

  • create the /var/lib/boot2docker/bootlocal.sh file and set the execution permission correctly
sudo touch /var/lib/boot2docker/bootlocal.sh && sudo chmod +x /var/lib/boot2docker/bootlocal.sh
  • put your self-signed crt file at /var/lib/boot2docker/certs/, this path can actually be any path, that can keep its files saved (instead of overwritten on docker-machine restart ). E.g. /home/docker/ can also be a good choice
sudo mkdir /var/lib/boot2docker/certs
mv <your_crt_file> /var/lib/boot2docker/certs/
  • add the changes to be made into /var/lib/boot2docker/bootlocal.sh, (In this case, we're adding the certificate to /etc/docker/certs.d/<docker_registry_url>)
mkdir -p /etc/docker/certs.d/<your_docker_registry_url> && cp <your_crt_file_location> /etc/docker/certs.d/<your_docker_registry_url>/
  • restart docker-machine
# If terminal is actually the docker-machine VM terminal
sudo reboot
# if terminal is started using docker quick start terminal
docker-machine restart <machine_name>

Note: In my case this is my contents in /var/lib/boot2docker/bootlocal.sh

mkdir -p /etc/docker/certs.d/registry.mev-rancher.dev.tech.local && cp /var/lib/boot2docker/certs/radiance.crt /etc/docker/certs.d/registry.mev-rancher.dev.tech.local/
@kumlali
kumlali commented Feb 26, 2016

Thanks @Shuliyey. In my environment(Docker Toolbox 1.9.1i & Windows 7), copying certificate files to /var/lib/boot2docker/certs is enough. I do not need to create /etc/docker/certs.d/<your_docker_registry_url> and copy files to it.

@all
After I spent significant time to make Docker Toolbox on Windows behind proxy to work, I decided to create a small project to help others: https://github.com/kumlali/windocker.

Hope you'll find it usefull.

@Shuliyey

@kumlali nice, would be great also to integrate this into kitematic. If we can configure the proxy and ssl settings inside the kinematic gui (like in the settings page), would make proxy and certificate configuration much easier.

@so0k
so0k commented Mar 16, 2016

ok, so since Boot2Docker 1.6 any certs you place in /var/lib/boot2docker/certs are automatically loaded for you - cool

see: https://github.com/boot2docker/boot2docker/pull/807/files

@nicklozon

@Shuliyey thanks for this. My company performs a man in the middle attack, so I had to export the cert from windows certificate manager, copy it into my vm and use openssl to convert it from DER to PEM format with a .crt extension, then followed your instructions.

@gotgenes
Contributor
gotgenes commented May 31, 2016 edited

ok, so since Boot2Docker 1.6 any certs you place in /var/lib/boot2docker/certs are automatically loaded for you - cool

see: https://github.com/boot2docker/boot2docker/pull/807/files

If you're arriving here from Google, the above is the proper solution to, "How do I use self-signed certificates when using boot2docker?"

Note, though, at the moment, only certificates that end with .pem will be processed. (I have submitted PR #1167 that would also process certificates ending in .crt per the Docker self-signed certificate instructions.) If you place your certificate in /var/lib/boot2docker/certs/ but it doesn't work, make sure it's in PEM format, and make sure the file name ends with ".pem".

@magnayn
magnayn commented Jun 16, 2016

I've followed the self-signed cert instructions, used the certificate in an nginx proxy, added the cert in /var/lib/boot2docker/certs (actually in my boot2docker 1.11.2, that directory did not exist) and I still get

x509: certificate signed by unknown authority

@gotgenes
Contributor

@magnayn Did you reboot your boot2docker instance after adding your certificates to /var/lib/boot2docker/certs? boot2docker will not process the certificates until a reboot takes place. In my case, I issued

docker-machine reboot <boot2docker_instance>

Also, yes, by default there is no certs directory in /var/lib/boot2docker; I had to create it, too.

@magnayn
magnayn commented Jun 16, 2016

Good to know that the need to create the certs directory is normal.

Yes, I rebooted the docker-machine. curl is perfectly happy if I tell it
about the cert on the commandline.

On Thu, Jun 16, 2016 at 4:54 PM, Chris Lasher notifications@github.com
wrote:

@magnayn https://github.com/magnayn Did you reboot your boot2docker
instance after adding your certificates to /var/lib/boot2docker/certs?
boot2docker will not process the certificates until a reboot takes place.
In my case, I issued

docker-machine reboot <boot2docker_instance>

Also, yes, by default there is no certs directory in /var/lib/boot2docker;
I had to create it, too.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#347 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AADRlVDJ37q4NinzftBo5FLr6GOpckp7ks5qMXG9gaJpZM4B5f7W
.

@so0k
so0k commented Jun 16, 2016

Could you try these instructions? http://docker-saigon.github.io/post/Private-Registry-Setup/ it includes adding trust for self signed CA

@Shuliyey

@magnayn interesting the boot2docker 1.11 version of docker should work if the certificate is placed in the /var/lib/boot2docker/certs
did you put the public certificate (which is not the private key) in the /var/lib/boot2docker/certs

if you could do the below and verify your certificate (which you put under /var/lib/boot2docker/certs)

cat /var/lib/boot2docker/certs/<your_crt_file> | grep 'BEGIN.* CERTIFICATE' | wc -l # this should return 1

😄

@bbodenmiller bbodenmiller added a commit to bbodenmiller/boot2docker that referenced this issue Aug 21, 2016
@bbodenmiller bbodenmiller document better way to add registry certificates
fix #347
4d88f11
@tianon tianon closed this in #1195 Aug 23, 2016
@0zeroth 0zeroth referenced this issue in docker/docker Dec 5, 2016
Open

Create tutorial for multi-host swarm #29118

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment