Unable to login to docker registry using podman on macOS using certificate in keychain

[softinio]

Is this a FEATURE REQUEST? (leave only one on its own line)

/kind feature

Unable to login to docker registry using podman on macOS using keychain. When I try it I get this after entering username/passowrd:

x509: certificate signed by unknown authority

Note that this works perfectly with docker so not sure if its a feature podman supports or not or I am doing something wrong.

I have created a stackoverflow for it too in case: https://stackoverflow.com/questions/69111227/unable-to-login-to-docker-registry-using-podman-on-macos-x509-certificate-sig

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

version: 3.2.3

Output of podman info --debug:

TBA

Package info (e.g. output of rpm -q podman or apt list podman):

brew install podman

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Used podman machine init and the default VM it uses

[guillaumerose]

Just bringing some Docker Desktop knowledge about certs here:

First, when starting the VM, Docker Desktop takes all installed certs (in the keychain for macOS) on the host and push them in the VM (/etc/ssl/...).

Second, user can have custom certs installer in location like this:

~/.docker/certs.d/my.secure.registry/client.cert
~/.docker/certs.d/my.secure.registry/client.key

Docker Desktop will also put these files in the right place in the VM.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[cgruver]

I am struggling with this issue as well. Although, it does work if you add --tls-verify=false to all of your Rodman commands. So, "struggling" is perhaps a bit strong... ;-)

However, since I have trusted the certs for my local registry, it would be nice if there were a way to inject them into the VM that podman machine creates.

[rdean-csx]

I ran into this issue yesterday and haven't gotten much traction on a solution.

There's a --certs-dir option on the podman pull command within the vm that doesn't exist on the Mac side. Assuming this is because the cert would have to be part of the ignition file at vm startup.

I found this link that suggests that certificates could be added to the CoreOS vm through an entry in the storage.files key:
https://ask.fedoraproject.org/t/how-to-add-certificates-to-coreos-truststore/15031

Would this work for passing in the CA cert, and is there any guidance for producing the kind of ignition file that podman machine needs? I took a stab at it, and it disabled creation of the SSH connection information.

[rhatdan]

@mtrmac @vrothberg Is this a case were we need to include the Certs in the Payload, or do we require the certs to be on the server side? I guess if you copied the Certs into the VM this would work. Not sure what Docker is doing in this case.

[Conan-Kudo]

In Docker Desktop, the certs are copied from the host into the VM that the true Docker daemon runs in. For Podman on Mac, we'd want the same thing (contents of ~/.config/containers/certs.d and ~/.config/docker/certs.d should be copied to the VM's /etc/containers/certs.d/ directory).

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@jwhonce @flouthoc Could either of you look into this?

[flouthoc]

@rhatdan I believe something like cert should not be done over API. Instead it should be done while we are doing the machine init step and we could pass certs via ignition file.

Here is the PR:#12709

[flouthoc]

@Conan-Kudo @rdean-csx Could one of you please try above PR on macOS I can verify this on a linux machine.

[rhatdan]

I agree this should be done at init or start.

[sherif84]

Hi, can anyone share documentation or validation steps on MacOS after this fix has been merged ?

we are facing the same issue on MacOs and I tried to build 4.0.0-rc2 version , but I'm still running into the same issue where the certs are not copied inside the VM

source code : https//github.com/containers/podman/archive/refs/tags/v4.0.0-rc2.tar.gz
built using directions in : https://github.com/containers/podman/blob/v4.0.0-rc2/build_osx.md ( seems outdated though)

podman-4.0.0-rc2 % bin/darwin/podman version
Client:       Podman Engine
Version:      4.0.0-rc2
API Version:  4.0.0-rc2
Go Version:   go1.17.6

Built:      Wed Jan 26 04:37:51 2022
OS/Arch:    darwin/amd64

Server:       Podman Engine
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.16.8

Built:      Wed Dec  8 16:45:07 2021
OS/Arch:    linux/amd64

MacOs Host dir :

ls ~/.docker/certs.d
blr.docker.privateregistry.com				build-images-development.qa.docker.privateregistry.com	images.privateregistry.com

VM certs dir

Last login: Wed Jan 26 04:40:26 2022 from 192.168.127.1
[core@localhost ~]$ ls /etc/containers/certs.d/
[core@localhost ~]$

any suggestions ? am i missing something ?

[mheon]

The fact that the server in the VM is still on v3.4.4 definitely seems like a potential cause

[sherif84]

yes, i was suspecting that . are there any docs on how to build the server from source ? the instructions here seem to only build the client

[mheon]

We're talking about how to get a VM image out with Podman v4.0 pre-installed, so folks can test by just swapping in a custom image. Building the image is easy, we just need to figure out how to distribute it; @baude is looking into it.