New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recommended way to install CA certificate on local VM docker machine #1799

Open
vpusher opened this Issue Sep 3, 2015 · 31 comments

Comments

Projects
None yet
@vpusher
Copy link

vpusher commented Sep 3, 2015

Commonly, company's root CA certificate are installed by IT on developpers machines and servers (They not come with the OS). When using docker machine with local VMs (virtualbox), do we need to install the company root CA certificate on the VM to talk with a docker registry hosted on the company's network ?

I'm wondering what is the recommanded way to install CA certificate on my local VM? Seems to be a beginning of answer here but nothing convincing/proper.

And if there are intermediate company CAs, what's the recommended way ? Bundle all the certs ?

@oobles

This comment has been minimized.

Copy link

oobles commented Sep 4, 2015

I'd also like to know this. I've followed the procedure (https://docs.docker.com/articles/https/) to create a new CA and certificates. I've tried putting files /var/lib/boot2docker and /var/lib/boot2docker/tls but having trouble with the /etc/init.d/docker start script overwriting the certificate I've generated.

@oobles

This comment has been minimized.

Copy link

oobles commented Sep 4, 2015

I've looked into this a bit more and it looks like docker-machine will overwrite anything in the host .docker/machines/machine/default with certificates it generates. It also replaces files in the boot2docker vm in /var/lib/boot2docker. It is possible to login and replace files in the vm and update /var/lib/boot2docker/profile but this is also replaced on startup (not sure by what, but possibly by 'docker-machine env default').

@ehazlett

This comment has been minimized.

Copy link
Member

ehazlett commented Sep 11, 2015

@oobles you should be able to use the --tls-ca-cert, --tls-cert and --tls-key options to specify existing certificates.

@vpusher

This comment has been minimized.

Copy link
Author

vpusher commented Sep 16, 2015

When using docker-machine --tls-ca-cert=my_company_ca.pem create --driver virtualbox vm, the command fails into:

Error creating machine: error generating server cert: crypto/tls: private key does not match public key

The point here (and I guess in most companies) is i can't give the --tls-ca-key option because I do not manage the company CA, so I do not know the private key.

What am i missing here ? Are those options only usefull for people managing their own CA, signing their own certifcates ?

I just want my docker client (on my VM) to docker login onto our company registry which shows a certifcate signed by the company CA.

Any help ?

@kakawait

This comment has been minimized.

Copy link

kakawait commented Sep 28, 2015

Same problem here any improvements?

@smiler

This comment has been minimized.

Copy link

smiler commented Dec 1, 2015

+1. Same problem in our organisation.

@cesarhernandezgt

This comment has been minimized.

Copy link

cesarhernandezgt commented Dec 1, 2015

The way I work around the situation was:
On the Registry Server:

  1. create the self signed certificates as state in the docker documentation.
  2. create a .pem file concatenating the key and cert file

On the Docker Machine:

  1. copy via scp the pem file to your docker@xxx.xxxx.xxx.xxx:/home/docker
  2. via ssh docker@xxx.xxxx.xxx.xxx (password: tcuser) move the pem file to: /var/lib/boot2docker/certs/
  3. Restart Docker machine
@dkirrane

This comment has been minimized.

Copy link

dkirrane commented Mar 31, 2016

My containers builds hit unable to find valid certification when downloading from https connection. My company uses an intermediate ZScaler CA root cert & also uses a PAC file to automatically configure the proxy.

@ghost

This comment has been minimized.

Copy link

ghost commented Apr 25, 2016

+1 on this. If it was possible to re-use existing CA (cert and key) and client certificates (cert and key) it really should be possible to re-use existing TLS infrastructure when deploying certificates to docker engine with docker-machine, e.g.

  • --tls-server-cert
  • --tls-server-key
docker-machine create -d ... \
  --tls-ca-cert cacert.pem \
  --tls-ca-key cacert.key \
  --tls-client-cert local_user.pem \
  --tls-client-key local_user.key \
  --tls-server-cert server.pem \
  --tls-server-key server.key

Error creating machine: Error running provisioning: error generating server cert: crypto/tls: failed to parse private key kicks in for me because cacert.key is password protected.

@danielwhatmuff

This comment has been minimized.

Copy link

danielwhatmuff commented Apr 28, 2016

+1

@wadetandy

This comment has been minimized.

Copy link
Contributor

wadetandy commented May 16, 2016

👍 , as this is a major blocker for us. Our enterprise IT organization puts a custom HTTPS cert on all requests going from inside our corporate firewall to the public internet, so we cannot even contact docker hub for containers without being able to configure these certs correctly.

@reustonium

This comment has been minimized.

Copy link

reustonium commented Aug 11, 2016

Has anybody found a solution to this yet? Our enterprise IT does a MitM to replace all HTTPS certs.

When I tried...
docker-machine --tls-ca-cert root.cer create --driver virtualbox default it throws the following error

Error creating machine: Error running provisioning: error generating server cert: crypto/tls: private key does not match public key

@wadetandy

This comment has been minimized.

Copy link
Contributor

wadetandy commented Aug 12, 2016

I ended up skipping the tls cert at machine creation time. Once creating
the machine:

docker-machine scp certfile default:ca.crt
docker-machine ssh default
sudo mv ~/ca.crt /etc/docker/certs.d/docker.io/ca.crt

Then it should work. You may have to mkdir the subdirectories before the mv
command. Substitute docker.io for an internal registry host if necessary.

On Thursday, August 11, 2016, Andy Ruestow notifications@github.com wrote:

Has anybody found a solution to this yet? Our enterprise IT does a MitM to
replace all HTTPS certs.

When I tried...
docker-machine --tls-ca-cert root.cer create --driver virtualbox default
it throws the following error

Error creating machine: Error running provisioning: error generating
server cert: crypto/tls: private key does not match public key


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#1799 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAJD9p1tfX97V_OW4DgJkzxP86URi-C5ks5qezAsgaJpZM4F3GTM
.

@rpomeroy

This comment has been minimized.

Copy link

rpomeroy commented Nov 29, 2016

+ 1 GE is using Zscaler and doing MitM cert mangling and docker is un-usable from all of our developer machines right now.

@ecottd

This comment has been minimized.

Copy link

ecottd commented Dec 7, 2016

+1, trying to solve this right now too.

@Ettery

This comment has been minimized.

Copy link

Ettery commented Dec 21, 2016

+1, also trying to solve this in a corporate environment

@mikehaller

This comment has been minimized.

Copy link

mikehaller commented Jan 11, 2017

+1 also corporate environment, proxy does MitM cert mangling. Need a way to install certs.

@rpomeroy

This comment has been minimized.

Copy link

rpomeroy commented Jan 13, 2017

This took a lot of digging and the solution is embarrassingly simple (but not obvious). And there are a couple things to note. The answer was here - but you have to read past the code section to the alternative approach.

Basically, copy pem (Base64 encoded) versions of your CA trust chain into /var/lib/boot2docker/certs/. You can't use ca bundles. The boot2docker boot script will automatically pick up pem files there and add them to the ssl config. Also, this is a special directory and will be preserved across restarts.

$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default 

This should be simpler so I support (#1799). Furthermore, we should be able to specify a directory full of pem files so adding multiple certs (as in whole trust chains) is easy.

@mlushpenko

This comment has been minimized.

Copy link

mlushpenko commented Mar 3, 2017

@rpomeroy thanks a lot, I was doing all the same but didn't know that VM restart was needed and due to that was copying the certificate all over the place to make it work

@dkirrane

This comment has been minimized.

Copy link

dkirrane commented Jul 18, 2017

Any fix for Docker for Windows

@MaxCCC

This comment has been minimized.

Copy link

MaxCCC commented Feb 6, 2018

@rpomeroy Thanks, Is importing the company root ca in our docker machine enough to make our registry accessible? Or do we also need to put stuff in /etc/docker/certs.d/hostname/

@rpomeroy

This comment has been minimized.

Copy link

rpomeroy commented Feb 6, 2018

As mentioned earlier in the thread, the Linux distro underneath boot2docker is basically immutable so putting stuff in /etc/docker/certs won’t survive. Only the var/lib/boot2docker/certs is mutable and persistent. Note that all this info may need to be re-verified with newer versions of boot2docker.

@ghost

This comment has been minimized.

Copy link

ghost commented Feb 19, 2018

I'm running Windows 7 + VirtualBox (v5.2.6) +Docker Toolbox (Boot2Docker version 18.02.-ce) and had the same issue.
For example, when trying to run a container I get the following error:
docker run ubuntu /bin/echo 'Hello world'
Unable to find image 'ubuntu:latest' locally
C:\Program Files\Docker Toolbox\docker.exe: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority.
See 'C:\Program Files\Docker Toolbox\docker.exe run --help'.

The following solution worked for me:

  1. Login to the default docker VM
  2. Download your Company root certificates
  3. Create a new dir:
    sudo mkdir /var/lib/boot2docker/certs
  4. Copy your Company root certificates to the newly created folder:
    sudo cp Root-Ca1.crt Root-Ca2.crt /var/lib/boot2docker/certs
  5. Reboot default VM
    Now it's pulling the image :)
@rachmadideni

This comment has been minimized.

Copy link

rachmadideni commented Mar 13, 2018

@kvvoronina im facing the same problem with you. instead i running docker toolbox on win 8.1
im trying to use your steps. but im using direct connection (means i can't provide any company root certificates in the step 2 & 4). how to solve this ? thanks

@Ubel

This comment has been minimized.

Copy link

Ubel commented May 15, 2018

Hello,

thanks ghost it's work and i can pulling my image now.
But i can't build image that of this example : https://docs.docker.com/get-started/part2/#build-the-app
iget this error :
Step 4/7 : RUN pip install --trusted-host pypi.python.org -r requirements.txt ---> Running in b700eb53b7b2 Collecting Flask (from -r requirements.txt (line 1)) Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAI LED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Do you have an issue for that ?

@cmenjivar

This comment has been minimized.

Copy link

cmenjivar commented May 18, 2018

Ubel, I'm having the same issue, i got images to pull, but i cant build images using the docker get started walk-through. Were you able to overcome the issue?

@Ubel

This comment has been minimized.

Copy link

Ubel commented May 22, 2018

@cmenjivar : No, I still have the same problem...

@cmenjivar

This comment has been minimized.

Copy link

cmenjivar commented May 24, 2018

@Ubel: I found a solution, in your Dockerfile, just add all 3 hosted python hosts, instead of just one...

RUN pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org -r requirements.txt

@Ubel

This comment has been minimized.

Copy link

Ubel commented May 25, 2018

@cmenjivar : thanks for your help. it's working for me too.

Now i need to try the same things with nuget package url

@user135711

This comment has been minimized.

Copy link

user135711 commented Jun 9, 2018

Could someone update this for windows host and windows container?

@TJM

This comment has been minimized.

Copy link

TJM commented Oct 29, 2018

For what its worth, @rpomeroy has the correct answer...

Issue the following commands in the "Docker Quickstart Terminal" if you are on windows, to ensure you have the appropriate environment. The "$" is the prompt, don't paste that part. You may want to issue a cd ~/Downloads to get to your Downloads folder before running the commands below. You can repeat the two middle steps (corp-ca.pem) for each Certificate Authority you need to add (intermediate or otherwise), just give them a different name. You can also use a wildcard, for example: corp-*.pem if you had corp-ca-root.pem, corp-ca-intermediate.pem and corp-issuing-ca.pem.

copied from @rpomeroy above:

$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default 

Folks that are trying to use --tls-cert, --tls-key and --tls-ca-cert are using incorrect options. Those are for authentication between the docker client and server.

The only point I would like to make is that the filesystems in /etc are not "immutable" really, they are actually "ephemeral" (tmpfs), meaning they will go away for each reboot. The information in /var/lib/boot2docker/certs will be repopulated into the correct place in /etc/docker/certs...

Anyhow, it would be nice if the docker-machine would automatically trust any certs that the host system trusts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment