Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
x509: certificate is not valid for any names, but ... #248
Got error message:
I checked the CA and server certs several times with multiple tools. Everything is valid and contents look fine. CN is properly set. I have also written a small GO script, making a TLS connection to the given host with no such error message.
Turning on logging and debug for docker engine gave no more helpful information.
Digging into the GO x509 source code reveals no hint, why there shouldn't be any names in the server certificate.
Steps to reproduce the behavior
Add CA certificate to
Additional environment details (AWS, VirtualBox, physical, etc.)
Could the registry be redirecting to an auth server, for which that certificate may not be valid? For example: https://docs.docker.com/registry/spec/auth/token/#requesting-a-token. Is that a possibility, or is it just htpasswd?
There is no redirect and only Basic Auth.
I can reproduce this on a plain Centos 7 installation without modifications. Attached the Vagrant file and some bootstrap script to recreate the VM.
The error occurs even without the CA certificate, means before the certificate chain is validated.
Did some further research and changed the bootstrap.sh to not install the latest docker-ce version, but 17.09.
Now everything works as expected. (after manually add the CA certificate)
Where is the difference between docker-ce 17.12 and 17.09? The GO version (1.8.3 vs. 1.9.4)?
@gibma Thanks for trying all of this out and providing the vagrant info! I tested your vagrant setup against a registry I spun up with a self-signed CA-signed server cert, and I am not getting the same error, so we may have to just dig into the code some more to see where else it may be making connections. I just wanted to comment so you know you are not being ignored.
@cyli Thank you for taking care of it. I do not want to rule out that our certificate is the cause, but I have no idea how to figure this out. Unfortunately, I can not provide it for privacy reasons, and our registry is not accessible from the Internet anyway.
If I can help in any way to find the cause, let me know
Argh... Found it. The problem is not with Docker, but with golang. I will create an issue there.
Our certificate has the following attributes:
So when docker (17.12) is verifying the certificate, the following golang (1.9) code is executed: (https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/x509/verify.go)
It checks if the extension is present (it is), and joins the alternate DNSNames (which we don't have, only IP-Addresses). So after this, valid is empty an the error is thrown.
These lines of code have actually changed between golang 1.8 and golang 1.9. In golang 1.8, the following was executed:
Here, the if clause does not match, and the c.Subject.CommonName is used. (and is valid).
Therefore this issue can be closed. Thanks for your support!