Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: "certificate signed by unknown authority" on docker login #2201

Closed
etoews opened this issue Nov 6, 2017 · 4 comments

Comments

@etoews
Copy link

commented Nov 6, 2017

Expected behavior

On Docker.app: version: 17.09.0-ce-mac35 (69202b202f497d4b6e627c3370781b9e4b51ec78)

$ docker login registry.example.com
Username: foo
Password:
Login Succeeded

Actual behavior

On Docker.app: version: 17.11.0-ce-rc2-mac37 (a38d9cd48bd0ee31ec82c59b783aa2f2817bfb92)

$ docker login registry.example.com
Username: foo
Password:
Error response from daemon: Get https://registry.example.com/v2/: x509: certificate signed by unknown authority

Information

Using the exact same registry with the same CA and certificate, I ran into this problem on the Docker for Mac Edge Channel.

$ /Applications/Docker.app/Contents/Resources/bin/docker-diagnose -u
macOS: version 10.12.6 (build: 16G29)
Docker.app: version: 17.11.0-ce-rc2-mac37 (a38d9cd48bd0ee31ec82c59b783aa2f2817bfb92)
Local time: Mon Nov  6 10:35:01 CST 2017
UTC:        Mon Nov  6 16:35:01 UTC 2017
Timestamp:  20171106-103501
Running diagnostic tests:
[OK]      docker-cli
[OK]      Moby booted
[OK]      driver.amd64-linux
[OK]      vmnetd
[OK]      osxfs
[OK]      db
[OK]      vpnkit
[OK]      disk
[OK]      menubar
[OK]      environment
[OK]      Docker
[OK]      VT-x
[OK]      kern.hv_support

Steps to reproduce the behavior

My CA, cert, and key are all ephemeral so I don't mind sharing them.

  1. Run a registry using registry.crt (which has already been signed by ca.crt) and registry.key.
  2. Install the CA on your Mac sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain [ca.crt](https://gist.github.com/everett-toews/3c6f555004dfbf004f926f1850533287#file-ca-crt)
  3. Attempt a docker login registry.example.com (the username/password you use won't even matter)

I suspect this is related to #2185

@guillaumerose

This comment has been minimized.

Copy link
Member

commented Nov 9, 2017

This is a regression in current edge version. When we switched to linuxkit, we missed the part where we copy client certs in the VM.

@SailingYYC

This comment has been minimized.

Copy link

commented Nov 10, 2017

I've been experiencing the exact same problems but in stable. We utilize 5 enterprise root certificates which are all present in the System keychain.

Information

$ /Applications/Docker.app/Contents/Resources/bin/docker-diagnose -u
macOS: version 10.13.1 (build: 17B48)
Docker.app: version: 17.09.0-ce-mac35 (69202b202f497d4b6e627c3370781b9e4b51ec78)
Local time: Fri 10 Nov 2017 15:42:53 MST
UTC:        Fri 10 Nov 2017 22:42:53 UTC
Timestamp:  20171110-154253
Running diagnostic tests:
[OK]      docker-cli
[OK]      Moby booted
[OK]      driver.amd64-linux
[OK]      vmnetd
[OK]      osxfs
[OK]      db
[OK]      vpnkit
[OK]      disk
[OK]      menubar
[OK]      environment
[OK]      Docker
[OK]      VT-x
[OK]      kern.hv_support

Steps to reproduce the behavior

Run a registry using registry.crt (which has already been signed by ca.crt) and registry.key.
Install the CA on your Mac:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca1.crt
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca2.crt
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca3.crt
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca4.crt
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca5.crt

Attempt a docker login registry.example.com.

@guillaumerose

This comment has been minimized.

Copy link
Member

commented Nov 17, 2017

Can you try with the version released today ? It should be fixed.

https://download.docker.com/mac/edge/20423/Docker.dmg

@etoews

This comment has been minimized.

Copy link
Author

commented Nov 17, 2017

Yep!

Confirmed it's now working on

Version 17.11.0-ce-rc4-mac39 (20423)
Channel: edge
e557194136

Thanks!

@etoews etoews closed this Nov 17, 2017

This was referenced Mar 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.