Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Daemon won't start when tls feature is applied #2663

musicaudience opened this issue Mar 5, 2018 · 2 comments


Copy link

commented Mar 5, 2018

Expected behavior

Daemon is running with tls feature applied.

Actual behavior

Daemon won't start( it's always starting) when tls feature configured.



it's starting more than 2 hours.

the latest log it prints:

  • Full output of the diagnostics from "Diagnose & Feedback" in the menu
    Docker for Mac: version: 17.12.0-ce-mac55 (18467c0ae7afb7a736e304f991ccc1a61d67a4ab)
    macOS: version 10.13.3 (build: 17D102)
    logs: /tmp/6DDE7673-1DF0-4B04-8747-C15BDA9B8110/20180305-193424.tar.gz
    failure: docker ps failed: (Failure "docker ps: timeout after 10.00s")
    [OK] vpnkit
    [OK] vmnetd
    [OK] dns
    [OK] driver.amd64-linux
    [OK] app
    [OK] virtualization VT-X
    [OK] moby
    [OK] system
    [OK] moby-syslog
    [OK] kubernetes
    [OK] env
    [OK] virtualization kern.hv_support
    [OK] moby-console
    [OK] osxfs
    [OK] logs
    [ERROR] docker-cli
    docker ps failed
    [OK] disk
    Failure: Could not upload diagnostic data to remote server (docker-diagnose exit code is 1)

You can also run diagnostics manually :
$ /Applications/ -u

  • A reproducible case if this is a bug, Dockerfiles FTW
    below is my daemon configuration:
    "debug" : true,
    "tlskey" : "/Users/test_user/.ssh/trauto/server-key.pem",
    "tlscert" : "/Users/test_user/.ssh/trauto/server-cert.pem",
    "experimental" : false,
    "tlsverify" : true,
    "tlscacert" : "/Users/test_user/.ssh/ca/root/ca-cert.pem",
    "log-level" : "debug"

below are my scripts used to generate certs and keys:

rm -f ls ./ | egrep -iv "^$"
openssl genrsa -aes256 -passout pass:$PASS -out ca-key.pem 4096
openssl req -passin pass:$PASS -new -x509 -key ca-key.pem -out ca-cert.pem -sha256 -days 7500 -subj "/C=CN/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx/CN=xxxx"
chmod -v 0400 ca-key.pem
chmod -v 0444 ca-cert.pem**

rm -f ls ./ | egrep -iv "^$"


openssl genrsa -out server-key.pem 4096
openssl req -new -key server-key.pem -out server.csr -sha256 -subj "/C=CN/ST=Shanghai/L=Shanghai/O=xxx/OU=xxx/"

echo subjectAltName =,DNS:*,IP: >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf

openssl x509 -sha256 -CAcreateserial -passin pass:$CAPASS -req -CA $CAPATH/ca-cert.pem -CAkey $CAPATH/ca-key.pem -in server.csr -out server-cert.pem -days 7500 -extfile extfile.cnf

rm server.csr
rm extfile.cnf
rm .srl

chmod -v 0400 server-key.pem
chmod -v 0444 server-cert.pem

Steps to reproduce the behavior

  1. generate keys and certs using above scripts(replace few fields).
  2. configure docker daemon like above.
  3. restart docker.

This comment has been minimized.

Copy link

commented Mar 13, 2018

Thanks for your report. It looks like adding --tls* options disables the Unix domain socket (/var/run/docker.sock) used by to talk to the dockerd.

I've made a prototype fix for this. If you'd like to test it then the experimental build is here:

It should identify (Whale Menu -> About) as

  • Version 18.03.0-ce-rc3-mac56 (23273)
  • Channel: pr
  • ecf1dd665d

Note that

  • it's not suitable for production use
  • it might offer an auto-upgrade: do not accept, as the upgraded build will be another experimental build which lacks the fix.

Let me know if this build works for you.


This comment has been minimized.

Copy link

commented Mar 28, 2018

@djs55 thanks, it works well for me now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.