(Wildcard?) Registry certificate CA issues OSX / Virtualbox

[erikogan]

I know I must be missing something obvious, but I cannot docker login to a private registry using a non-standard (wildcard, Comodo EssentialSSL) SSL/TLS certificate.

I installed boot2docker & Virtualbox via the OSX Boot2Docker-1.5.0.pkg installer.

[Also: I know these files will be blown away on reboot. My goal was to get it working then get it repeatable, however if there is a better way to solve both issues simultaneously, I’d love to know]

All of the solutions I can find online are either A) for a debian VM/host, B) dangerously tell the user to just turn off SSL certificate validation with --insecure-registry or C) both.

I have placed the Comodo EssentialSSL CA bundle in the appropriate location and it does not seem to help.

Before:

docker@boot2docker:~$ docker login -u change  -e 'erik@change.org' docker.changeeng.org
Password:
FATA[0011] Error response from daemon: v1 ping attempt failed with error: Get https://docker.changeeng.org/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry docker.changeeng.org` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/docker.changeeng.org/ca.crt

That’s to be expected. However, after I add the CA bundle, I get a pruned error message (interestingly with a different error code):

docker@boot2docker:~$ sudo cp /tmp/ca.crt /etc/docker/certs.d/docker.changeeng.org/ca.crt
docker@boot2docker:~$ sudo /etc/init.d/docker restart
Need TLS certs for boot2docker,127.0.0.1,10.0.2.15,192.168.59.104
-------------------
docker@boot2docker:~$ docker login -u change  -e 'erik@change.org' docker.changeeng.org
Password:
FATA[0014] Error response from daemon: Server Error: Post https://docker.changeeng.org/v1/users/: x509: certificate signed by unknown authority

Just to confirm the bundle is correct, curl is happy to use it:

Without the CA bundle:

docker@boot2docker:~$ curl https://docker.changeeng.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
  <snip>

And with it:

docker@boot2docker:~$ sudo curl --cacert /etc/docker/certs.d/docker.changeeng.org/ca.crt https://docker.changeeng.org
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>

So that suggests to me that the bundle is not incorrect, but I am at a loss for where to go next.

[md5]

Did you try pointing at a copy of your CA cert file with -tlscacert? The Mac OS X builds of Docker are cross-compiled, so they are not able to access local CA certificates in your system keychain. Not sure whether that's something you're doing, but I know it's a gotcha that users with corporate CAs encounter.

[md5]

There are lots of issues and bug reports in the Docker ecosystem for this issue affecting various tools, but here's one I found: moby/moby#3946

I also recall a good discussion on one of the Docker Machine issue about possible workarounds.

[md5]

Here it is: docker/machine#491 (comment)

[erikogan]

Thanks for your replies. I don’t think the cross-compilation is to blame, since all of the commands above were run inside the boot2docker VM. But still, it’s good to know that could be an issue.

I’ll go read the threads you linked and see if I can find a suitable workaround. Thanks.

[erikogan]

Complicating matters is that I’m running boot2docker in virtualbox to build a generic solution for the rest of the company. I have both CentOS 7 & boot2docker running in Parallels VMs configured via Vagrant, and neither one exhibits this behavior. It’s maddening!

(This is why I posted an issue in this repo: it seems specific to the specific boot2docker install)

[rossbachp]

Add your ca cert to /etc/ssl/certs/ca-certificates.crt

You must create a executable /var/lib/boot2docker/bootlocal.sh scripts:

#!/bin/sh
su - docker -c "cat /var/lib/boo2docker/docker.changeeng.org/ca.crt >>/etc/ssl/certs/ca-certificates.crt"

[SvenDowideit]

this is essentially ( @rossbachp 's advice) what #807 does.

neither Docker 1.5 or 1.6 seem to use the certs in /etc/docker/certs.d correctly.

[schmunk42]

I needed to update my docker daemon options, like so:

EXTRA_ARGS="--insecure-registry registry.example.com --insecure-registry https://registry.example.com/v1/" 

to work with docker and docker-compose, also the trailing slash seems to be required since docker 1.6.