New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Wildcard?) Registry certificate CA issues OSX / Virtualbox #805

Open
erikogan opened this Issue Mar 31, 2015 · 8 comments

Comments

Projects
None yet
6 participants
@erikogan

erikogan commented Mar 31, 2015

I know I must be missing something obvious, but I cannot docker login to a private registry using a non-standard (wildcard, Comodo EssentialSSL) SSL/TLS certificate.

I installed boot2docker & Virtualbox via the OSX Boot2Docker-1.5.0.pkg installer.

[Also: I know these files will be blown away on reboot. My goal was to get it working then get it repeatable, however if there is a better way to solve both issues simultaneously, I’d love to know]

All of the solutions I can find online are either A) for a debian VM/host, B) dangerously tell the user to just turn off SSL certificate validation with --insecure-registry or C) both.

I have placed the Comodo EssentialSSL CA bundle in the appropriate location and it does not seem to help.

Before:

docker@boot2docker:~$ docker login -u change  -e 'erik@change.org' docker.changeeng.org
Password:
FATA[0011] Error response from daemon: v1 ping attempt failed with error: Get https://docker.changeeng.org/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry docker.changeeng.org` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/docker.changeeng.org/ca.crt

That’s to be expected. However, after I add the CA bundle, I get a pruned error message (interestingly with a different error code):

docker@boot2docker:~$ sudo cp /tmp/ca.crt /etc/docker/certs.d/docker.changeeng.org/ca.crt
docker@boot2docker:~$ sudo /etc/init.d/docker restart
Need TLS certs for boot2docker,127.0.0.1,10.0.2.15,192.168.59.104
-------------------
docker@boot2docker:~$ docker login -u change  -e 'erik@change.org' docker.changeeng.org
Password:
FATA[0014] Error response from daemon: Server Error: Post https://docker.changeeng.org/v1/users/: x509: certificate signed by unknown authority

Just to confirm the bundle is correct, curl is happy to use it:

Without the CA bundle:

docker@boot2docker:~$ curl https://docker.changeeng.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
  <snip>

And with it:

docker@boot2docker:~$ sudo curl --cacert /etc/docker/certs.d/docker.changeeng.org/ca.crt https://docker.changeeng.org
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>

So that suggests to me that the bundle is not incorrect, but I am at a loss for where to go next.

@md5

This comment has been minimized.

Show comment
Hide comment
@md5

md5 Mar 31, 2015

Contributor

Did you try pointing at a copy of your CA cert file with -tlscacert? The Mac OS X builds of Docker are cross-compiled, so they are not able to access local CA certificates in your system keychain. Not sure whether that's something you're doing, but I know it's a gotcha that users with corporate CAs encounter.

Contributor

md5 commented Mar 31, 2015

Did you try pointing at a copy of your CA cert file with -tlscacert? The Mac OS X builds of Docker are cross-compiled, so they are not able to access local CA certificates in your system keychain. Not sure whether that's something you're doing, but I know it's a gotcha that users with corporate CAs encounter.

@md5

This comment has been minimized.

Show comment
Hide comment
@md5

md5 Mar 31, 2015

Contributor

There are lots of issues and bug reports in the Docker ecosystem for this issue affecting various tools, but here's one I found: moby/moby#3946

I also recall a good discussion on one of the Docker Machine issue about possible workarounds.

Contributor

md5 commented Mar 31, 2015

There are lots of issues and bug reports in the Docker ecosystem for this issue affecting various tools, but here's one I found: moby/moby#3946

I also recall a good discussion on one of the Docker Machine issue about possible workarounds.

@md5

This comment has been minimized.

Show comment
Hide comment
@md5
Contributor

md5 commented Mar 31, 2015

@erikogan

This comment has been minimized.

Show comment
Hide comment
@erikogan

erikogan Mar 31, 2015

Thanks for your replies. I don’t think the cross-compilation is to blame, since all of the commands above were run inside the boot2docker VM. But still, it’s good to know that could be an issue.

I’ll go read the threads you linked and see if I can find a suitable workaround. Thanks.

erikogan commented Mar 31, 2015

Thanks for your replies. I don’t think the cross-compilation is to blame, since all of the commands above were run inside the boot2docker VM. But still, it’s good to know that could be an issue.

I’ll go read the threads you linked and see if I can find a suitable workaround. Thanks.

@erikogan

This comment has been minimized.

Show comment
Hide comment
@erikogan

erikogan Mar 31, 2015

Complicating matters is that I’m running boot2docker in virtualbox to build a generic solution for the rest of the company. I have both CentOS 7 & boot2docker running in Parallels VMs configured via Vagrant, and neither one exhibits this behavior. It’s maddening!

(This is why I posted an issue in this repo: it seems specific to the specific boot2docker install)

erikogan commented Mar 31, 2015

Complicating matters is that I’m running boot2docker in virtualbox to build a generic solution for the rest of the company. I have both CentOS 7 & boot2docker running in Parallels VMs configured via Vagrant, and neither one exhibits this behavior. It’s maddening!

(This is why I posted an issue in this repo: it seems specific to the specific boot2docker install)

@rossbachp

This comment has been minimized.

Show comment
Hide comment
@rossbachp

rossbachp Apr 10, 2015

Contributor

Add your ca cert to /etc/ssl/certs/ca-certificates.crt

You must create a executable /var/lib/boot2docker/bootlocal.sh scripts:

#!/bin/sh
su - docker -c "cat /var/lib/boo2docker/docker.changeeng.org/ca.crt >>/etc/ssl/certs/ca-certificates.crt"
Contributor

rossbachp commented Apr 10, 2015

Add your ca cert to /etc/ssl/certs/ca-certificates.crt

You must create a executable /var/lib/boot2docker/bootlocal.sh scripts:

#!/bin/sh
su - docker -c "cat /var/lib/boo2docker/docker.changeeng.org/ca.crt >>/etc/ssl/certs/ca-certificates.crt"
@SvenDowideit

This comment has been minimized.

Show comment
Hide comment
@SvenDowideit

SvenDowideit Apr 28, 2015

Contributor

this is essentially ( @rossbachp 's advice) what #807 does.

neither Docker 1.5 or 1.6 seem to use the certs in /etc/docker/certs.d correctly.

Contributor

SvenDowideit commented Apr 28, 2015

this is essentially ( @rossbachp 's advice) what #807 does.

neither Docker 1.5 or 1.6 seem to use the certs in /etc/docker/certs.d correctly.

@schmunk42

This comment has been minimized.

Show comment
Hide comment
@schmunk42

schmunk42 May 29, 2015

I needed to update my docker daemon options, like so:

EXTRA_ARGS="--insecure-registry registry.example.com --insecure-registry https://registry.example.com/v1/" 

to work with docker and docker-compose, also the trailing slash seems to be required since docker 1.6.

schmunk42 commented May 29, 2015

I needed to update my docker daemon options, like so:

EXTRA_ARGS="--insecure-registry registry.example.com --insecure-registry https://registry.example.com/v1/" 

to work with docker and docker-compose, also the trailing slash seems to be required since docker 1.6.

@wglambert wglambert added the question label Jul 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment