docker-compose in toolbox doesn't work

[ozbillwang]

Run any docker-compose command, got below ssl error.

$ docker-compose ps
SSL error: no appropriate commonName or subjectAltName fields were found

docker-compose was installed by docker toolbox. I didn't have this issue before when run docker-compose directly.

$ docker-compose version
docker-compose version: 1.4.0
docker-py version: 1.3.1
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
Behind proxy

[jmorganca]

@aanand any ideas? Can't seem to find much existing info about this.

[aanand]

Very strange. @SydOps, are you using the standard VirtualBox VM provisioned by Machine as part of the toolbox setup?

ping @ehazlett @nathanleclaire - has anything changed about SSL certificates recently or in Toolbox?

[ehazlett]

Hmm not that I'm aware of. @SydOps could you try using the "regenerate-certs" and in machine to see if that helps? This can happen if the IP changes but usually it's a different error.

[ozbillwang]

@ehazlett

No fix.

$ eval $(docker-machine env proxy )

$ docker-machine regenerate-certs proxy
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates

$ cat  docker-compose.yml
web:
  image: jamtur01/composeapp
  command: python app.py
  ports:
    - "5000:5000"
  volumes:
    - .:/composeapp
  links:
    - redis
redis:
  image: redis

$ docker-compose ps
SSL error: no appropriate commonName or subjectAltName fields were found

proxy is the docker machine I create manually in office to avoid proxy issue.

[ehazlett]

What does echo $DOCKER_HOST and echo $DOCKER_CERT_PATH report?

On Tuesday, September 1, 2015, Bill W notifications@github.com wrote:

@ehazlett https://github.com/ehazlett

No fix.

$ docker-machine regenerate-certs proxy
Regenerate TLS machine certs? Warning: this is irreversible. (y/n): y
Regenerating TLS certificates

$ cat docker-compose.yml
web:
image: jamtur01/composeapp
command: python app.py
ports:
- "5000:5000"
volumes:
- .:/composeapp
links:
- redis
redis:
image: redis

$ docker-compose ps
SSL error: no appropriate commonName or subjectAltName fields were found

—
Reply to this email directly or view it on GitHub
#124 (comment).

[ozbillwang]

@ehazlett

$ echo $DOCKER_HOST
tcp://192.168.99.100:2376

$ echo $DOCKER_CERT_PATH
/Users/bill/.docker/machine/machines/proxy

$ pwd
/Users/bill/.docker/machine/machines/proxy

$ ls -lctr
total 27301184
-rw-r--r--  1 bill  staff     29360128 18 Aug 11:33 boot2docker.iso
-rw-------  1 bill  staff          381 18 Aug 11:34 id_rsa.pub
-rw-------  1 bill  staff         1675 18 Aug 11:34 id_rsa
drwx------  5 bill  staff          170  2 Sep 10:58 proxy
-rw-------  1 bill  staff         1679  2 Sep 11:21 key.pem
-rw-r--r--  1 bill  staff         1050  2 Sep 11:21 cert.pem
-rw-r--r--  1 bill  staff         1025  2 Sep 11:21 ca.pem
-rw-r--r--  1 bill  staff         1086  2 Sep 11:21 server.pem
-rw-------  1 bill  staff         1679  2 Sep 11:21 server-key.pem
-rw-------  1 bill  staff         1671  2 Sep 11:24 config.json
-rw-------  1 bill  staff  13948813312  2 Sep 13:02 disk.vmdk

[ehazlett]

Thanks! And what about "docker-machine ls"

On Tue, Sep 1, 2015 at 11:18 PM, Bill W notifications@github.com wrote:

$ echo $DOCKER_HOST
tcp://192.168.99.100:2376

$ echo $DOCKER_CERT_PATH
/Users/bill/.docker/machine/machines/proxy

—
Reply to this email directly or view it on GitHub
#124 (comment).

[marzolfb]

Had the same issue as @SydOps. Fixed it by adding "192.168.99.100" to no_proxy environment variable.

[ozbillwang]

Thanks, @marzolfb

Since any manual proxy related setting will be overrided in docker own virtual system (#102), do you mean I need re-create a new machine with no_proxy environment set?

How can migrate the exist images and containers from old machine proxy?

[marzolfb]

@SydOps There are proxy settings for your host machine where you run docker-compose from and then there are proxy settings established within the guest (boot2docker) VM. The proxy settings on the guest are irrelevant because the communication break is happening between host machine and guest VM (192.168.99.100). Here's my lame attempt at an ascii illustration:

communication path without no_proxy set correctly:
my host machine (docker-compose) --> my proxy server --> BLOCKED (because my proxy doesn't know what to do with 192.168.99.100) --> guest (boot2docker) VM

communication path with no_proxy set correctly:
my host machine (docker-compose) --> guest (boot2docker) VM

You can set the no_proxy environment variable in your .profile file (on your host machine) to make it "permanent".

[george-carlin]

I just had this same error while running docker-compose. I'm completely new to docker and pretty out of my depth here - setting NO_PROXY like in @marzolfb's answer fixed it

To help any future Googlers, here's the steps I followed stated as explicitly as possible:

1. echo $DOCKER_HOST. This should return a URL, in my case tcp://192.168.99.100:2376.

2. Take the "IP" part of the URL, in my case 192.168.99.100, and add it to the NO_PROXY env variable:

   export NO_PROXY=192.168.99.100
   

I still don't understand how to use Docker, but this at least got me one step closer to figuring it out!

[marzolfb]

@georgemillo If you want to do it one fell swoop you can do this:

export NO_PROXY=$(docker-machine ip [machine-name])

for example:

export NO_PROXY=$(docker-machine ip default)

The one thing to be careful here is that if you already have something in NO_PROXY, this will overwrite it. If you do already have a NO_PROXY value established, you would want to do this instead:

export NO_PROXY=$NO_PROXY,$(docker-machine ip [machine-name])

Also, not sure if you've tried to search for container images (docker search) or tried to pull or run containers but since its obvious you are behind a proxy, you may at some point find this StackOverflow question useful.

[ozbillwang]

@marzolfb

Thanks for the help. My issue was fixed with NO_PROXY setting.

To: all:

Will I accept this as solution, or I keep it open until Docker to fix in toolbox?

[george-carlin]

since its obvious you are behind a proxy

... ah yes, of course. The reason I was having these problems in the first place was because I was behind a VPN (in my case Hotspot Shield.) After turning off Hotspot Shield, docker-compose build works fine without the need for a NO_PROXY env variable.

I either need more caffeine or less, not sure which...

[marzolfb]

While using the NO_PROXY environment variable fixes it, I will say I think the error message that started this issue is fairly misleading. It is true that there is an "SSL error" but it is overly-presumptuous because the real issue is a general lack of connectivity from the docker-compose client to the docker daemon running on the boot2docker vm. Maybe closing this issue and opening a new one to make the error message more generic is warranted here?

[stefanofiorentino]

The only working way i found is defining

$> export NO_PROXY=$DOCKER_IP
before
$> docker-compose up

where DOCKER_IP is the address of default docker-machine, in my case 192.168.99.100

[nathanleclaire]

FYI folks, docker-machine env --no-proxy will include a NO_PROXY environment variable automatically.