Hostname in server cert doesn't contain internal IP

[rhuss]

When I try to contact the docker host from within a container via the its gateway IP obtained via

 host=$(ip route show 0.0.0.0/0 | grep -Eo 'via \S+' | awk '{print $2}');

and using SSL I get this error message

hostname in certificate didn't match: <172.17.42.1> != <127.0.0.1> OR 
<10.0.2.15> OR <192.168.59.103>

I'm not so deep into the docker network stack, but couldn't it be possible to include the internal gateway IPs into the generated server certificate as well ?

[rhuss]

• Docker version: 1.6.2
• Docker info:

Containers: 12
Images: 274
Storage Driver: aufs
 Root Dir: /mnt/sda1/var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 298
 Dirperm1 Supported: true
Execution Driver: native-0.2
Kernel Version: 4.0.2-boot2docker
Operating System: Boot2Docker 1.6.1 (TCL 5.4); master : 43209d4 - Thu May  7 22:06:28 UTC 2015
CPUs: 8
Total Memory: 1.957 GiB
Name: boot2docker
ID: FFSP:JKJX:IZYG:AP4Y:E2JU:K5G2:YUOZ:C7CR:SJYA:NN74:6Y45:IB3W
Debug mode (server): true
Debug mode (client): false
Fds: 19
Goroutines: 34
System Time: Sat Jun 13 00:01:45 UTC 2015
EventsListeners: 0
Init SHA1: 2dabfc43e5f856a0712787a6ff78ceaf791cc9e7
Init Path: /usr/local/bin/docker
Docker Root Dir: /mnt/sda1/var/lib/docker
Username: jolokia
Registry: [https://index.docker.io/v1/]

• Additional Info: Docker is running in boot2docker

Steps to reproduce:

• Enabcle TCP listening on the docker daemon and SSL
• Start a container with an internal docker client (e.g. jolokia/docker-reveal) and mount your client certs as volumes (e.g. docker run -ti -v ~/.boot2docker/certs/boot2docker-vm/:/certs jolokia/docker-reveal sh)
• Run

host=$(ip route show 0.0.0.0/0 | grep -Eo 'via \S+' | awk '{print $2}');
export DOCKER_HOST=tcp://${host}:2376
export DOCKER_CERT_PATH=/path/to/certs
export DOCKER_TLS_VERIFY=1

• Then try a docker command within this container (e.g. like docker images)
• Result:

/slides # docker images
FATA[0000] An error occurred trying to connect: Get https://172.17.42.1:2376/v1.18/images/json: 
x509: certificate is valid for 127.0.0.1, 10.0.2.15, 192.168.59.103, not 172.17.42.1

I would expect that the internal ip 172.17.42.1 would be included in the server cert that the docker daemon uses.

[jamshid]

Agreed, would be great if there were a docker client option like DOCKER_TLS_VERIFY but it should not validate that the hostname/ip matches the cert. I know that's usually not a good idea but seems okay here because the client is providing the cert that is expected, so it's not susceptible to MitM.

In my case I'm trying to configure a jenkins container to use the docker server on which it's running. Would simply share /var/run/docker.sock to the container, but that doesn't work with the jenkins user for some strange reason. And I don't want to change the docker server configuration (https://issues.jenkins-ci.org/browse/JENKINS-24338).

[ChrisPearce]

It would be very helpful if the internal ip 172.17.42.1 was included in the server cert

[Sigurthorb]

Hey, I think this is connected to my issue #19112 can you verify that this is the issue that I am having?
If i am reading this correctly though it seems that this is the other way around, my cert is registered on the internal static ip of my server instead of my host name(external network ID)

[thaJeztah]

Looks like this was related to boot2docker, which is deprecated. Let me close this ticket for now, as it looks like it went stale.