Can't add root certificates

[garthk]

Expected behavior

• Ability to add root certificates in a persistent manner.

Actual behavior

$ docker pull cough:5000/whatever
Error response from daemon: Get https://cough:5000/v1/_ping: x509: certificate signed by unknown authority`

docker run -t -i --rm -v /etc:/mnt/etc -w /mnt/etc alpine sh can be used to update /etc/ssl/certs as if update-ca-certificates had been run, but:

• it doesn't help Docker
• it disappears after restart

Similarly, dropping certificates into /etc/docker/certs.d under the /mnt doesn't help.

Information

Diagnostic ID: 4168FFD0-2A6A-4390-B7B7-22F705F5FD3F
Docker for Mac: 1.12.0-a (Build 11213)
macOS: Version 10.11.6 (Build 15G31)
[OK] docker-cli
[OK] app
[OK] moby-syslog
[OK] disk
[OK] virtualization
[OK] system
[OK] menubar
[OK] osxfs
[OK] db
[OK] slirp
[OK] moby-console
[OK] logs
[OK] vmnetd
[OK] env
[OK] moby
[OK] driver.amd64-linux

[kitsushadow]

The reference indicates docker for windows. Is the team working Docker for Mac and Docker for Windows one and the same?

Also How far down the roadmap is this? It is critical functionality in secure workspaces.

[djs55]

We're all on the same team.

A scheme for persistent SSL certs is fairly high up our priority list. Are
these root certs in your Mac keychain (or could they be stored there?)
We're considering automatically importing root certs present on the
keychain into Moby.

On Thu, Aug 25, 2016 at 1:03 PM, kitsushadow notifications@github.com
wrote:

The reference indicates docker for windows. Is the team working Docker for
Mac and Docker for Windows one and the same?

Also How far down the roadmap is this? It is critical functionality in
secure workspaces.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#343 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAMHulB84hAZRey9TqYjEhz1r2thDDH_ks5qjYSJgaJpZM4JnKsJ
.

[kitsushadow]

We can store the certs as part of the keychain, yes. I believe that is the intuitive "go-to" for Mac users.

[kitsushadow]

Heard yesterday the beta update is scheduled for Sept 6 @garthk

[alvarow]

+1 here ... Either Keychain or a .docker/ca-bundle.pem file also work.

[KevinVecchione]

Encountered this issue today on the stable track. Is this feature available in Beta as of today?

[kitsushadow]

pushed back to next beta release

On Sep 13, 2016 4:00 PM, "Kevin Vecchione" notifications@github.com wrote:

Encountered this issue today on the stable track. Is this feature
available in Beta as of today?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#343 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AFGs4MJRZEU_M9YxGdaost2X2JIyf6Ecks5qpwDIgaJpZM4JnKsJ
.

[elainewu03]

I also got similar issue on OSX. How to fix it?

[kitsushadow]

For now the simplest work around is to add the registries as insecure
registries.

On Wed, Sep 14, 2016 at 2:59 AM, wuyu notifications@github.com wrote:

I also got similar issue on OSX. How to fix it?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#343 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AFGs4KXEx2dmrz9vX-2q0oY6xo_1vXf7ks5qp5tbgaJpZM4JnKsJ
.

[486]

The access to my company's registry is only possible via HTTPS, and only with a Client Certificate. That's also a feature of /etc/docker/certs.d we would like to use on Mac and Windows.

[dsheets]

A patch for this is currently undergoing QA testing. Thanks for your patience.

[samoht]

Docker for Mac uses the host certificates since Beta27, so closing.

[kitsushadow]

Perhaps before closing it you could provide instructions on how to implement it...

[kitsushadow]

@samoht

[samoht]

@kitsushadow please see the docs: https://docs.docker.com/docker-for-mac/faqs/#/how-do-i-add-custom-ca-certificates

[gloomybrain]

@samoht the document you've provided says Starting with Docker for Mac 1.12.1, 2016-09-16 (stable) .... I have a fresh docker installation on my Mac (1.12.1 build 12133) and I have our enterprise sertificate imported into Keychain and marked as "always trust". But I still do not have an ability to download a docker image from our private TLS-secured registry because of the x509: certificate signed by unknown authority error.
Is the linked document wrong or it is a bug in the latest docker build? Or maybe there are some special (unspecified) requirements on cert importing?
Any information on this topic will be highly appreciated.

[samoht]

@gloomybrain sorry about that, our docs are wrong: CA integration with OSX keychain is only in the Beta channel (and will be in the next stable release next week).

[samoht]

I am re-opening the issue to keep track of fixing the docs.

[gloomybrain]

@samoht Thanks a lot!

[kitsushadow]

Thanks

On Oct 14, 2016 10:39 AM, "Denis Novozhilov" notifications@github.com
wrote:

@samoht https://github.com/samoht Thanks a lot!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#343 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AFGs4PY1G8ty5qXhjCYm_NFWGGIcud76ks5qz5QcgaJpZM4JnKsJ
.

[samoht]

btw, our docs are now hosted on https://github.com/docker/docker.github.io/tree/master/docker-for-mac so you are very welcome to open a PR to fix that error :p

[alvarow]

The docs state Docker for Mac creates a bundle based on Keychain trusted certs and passes that bundle to Moby... can you tell us how often does it do that? It is every time you start Docker for Mac, is it one time, or is it whenever it gets installed or updated?

Thanks

[ijc]

I believe this fix was in the 1.12.3 stable release.

[valentin-krasontovitsch]

Unfortunately I'm gonna have to report on this again: original error appears with latest (at the moment) edge version, downgrade to stable fixes problem.

Unfortunately I have uninstalled edge, but if you need more information, let me know, I'll reinstall...

Does this actually work, reporting here? Does anybody get notified about new comments on a closed issue?

[tagirb]

Confirming this issue:

$ curl -I https://docker.<our_domain>/v2/
HTTP/2 200
...
$ docker pull docker.<our_domain>/<our_image>:latest
Error response from daemon: Get https://docker.<our_domain>/v2/: x509: certificate signed by unknown authority
$ docker --version
Docker version 17.10.0-ce, build f4ffd25

[SailingYYC]

I have the organizational root cert set to Trust Always in the System keychain (All Users).

I concur with @kitsushadow, Mac users and enterprises usually use mechanisms (MDM, EDM, GPO, etc.) to publish their organizational root certs into the OS's root store and should be the preferred location.

Confirming this issue as well:

$ curl -I https://docker.<our_domain>/v2/
HTTP/2 200 
...

$ docker login docker.<our_domain> -u ccyr
Password: 
Error response from daemon: Get https://docker.<our_domain>/v2/: x509: certificate signed by unknown authority

$ docker --version
Docker version 17.09.0-ce, build afdb6d4

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked