Recommended way to install CA certificate on local VM docker machine #1799
Comments
I'd also like to know this. I've followed the procedure (https://docs.docker.com/articles/https/) to create a new CA and certificates. I've tried putting files /var/lib/boot2docker and /var/lib/boot2docker/tls but having trouble with the /etc/init.d/docker start script overwriting the certificate I've generated. |
I've looked into this a bit more and it looks like docker-machine will overwrite anything in the host .docker/machines/machine/default with certificates it generates. It also replaces files in the boot2docker vm in /var/lib/boot2docker. It is possible to login and replace files in the vm and update /var/lib/boot2docker/profile but this is also replaced on startup (not sure by what, but possibly by 'docker-machine env default'). |
@oobles you should be able to use the |
When using
The point here (and I guess in most companies) is i can't give the What am i missing here ? Are those options only usefull for people managing their own CA, signing their own certifcates ? I just want my docker client (on my VM) to Any help ? |
Same problem here any improvements? |
+1. Same problem in our organisation. |
The way I work around the situation was:
On the Docker Machine:
|
My containers builds hit |
+1 on this. If it was possible to re-use existing CA (cert and key) and client certificates (cert and key) it really should be possible to re-use existing TLS infrastructure when deploying certificates to docker engine with docker-machine, e.g.
|
+1 |
👍 , as this is a major blocker for us. Our enterprise IT organization puts a custom HTTPS cert on all requests going from inside our corporate firewall to the public internet, so we cannot even contact docker hub for containers without being able to configure these certs correctly. |
Has anybody found a solution to this yet? Our enterprise IT does a MitM to replace all HTTPS certs. When I tried...
|
I ended up skipping the tls cert at machine creation time. Once creating docker-machine scp certfile default:ca.crt Then it should work. You may have to mkdir the subdirectories before the mv On Thursday, August 11, 2016, Andy Ruestow notifications@github.com wrote:
|
+ 1 GE is using Zscaler and doing MitM cert mangling and docker is un-usable from all of our developer machines right now. |
+1, trying to solve this right now too. |
+1, also trying to solve this in a corporate environment |
+1 also corporate environment, proxy does MitM cert mangling. Need a way to install certs. |
This took a lot of digging and the solution is embarrassingly simple (but not obvious). And there are a couple things to note. The answer was here - but you have to read past the code section to the alternative approach. Basically, copy pem (Base64 encoded) versions of your CA trust chain into
This should be simpler so I support (#1799). Furthermore, we should be able to specify a directory full of pem files so adding multiple certs (as in whole trust chains) is easy. |
@rpomeroy thanks a lot, I was doing all the same but didn't know that VM restart was needed and due to that was copying the certificate all over the place to make it work |
Any fix for Docker for Windows |
@rpomeroy Thanks, Is importing the company root ca in our docker machine enough to make our registry accessible? Or do we also need to put stuff in |
As mentioned earlier in the thread, the Linux distro underneath boot2docker is basically immutable so putting stuff in /etc/docker/certs won’t survive. Only the var/lib/boot2docker/certs is mutable and persistent. Note that all this info may need to be re-verified with newer versions of boot2docker. |
I'm running Windows 7 + VirtualBox (v5.2.6) +Docker Toolbox (Boot2Docker version 18.02.-ce) and had the same issue. The following solution worked for me:
|
@kvvoronina im facing the same problem with you. instead i running docker toolbox on win 8.1 |
Hello, thanks ghost it's work and i can pulling my image now. |
Ubel, I'm having the same issue, i got images to pull, but i cant build images using the docker get started walk-through. Were you able to overcome the issue? |
@cmenjivar : No, I still have the same problem... |
@Ubel: I found a solution, in your Dockerfile, just add all 3 hosted python hosts, instead of just one...
|
@cmenjivar : thanks for your help. it's working for me too. Now i need to try the same things with nuget package url |
Could someone update this for windows host and windows container? |
For what its worth, @rpomeroy has the correct answer... Issue the following commands in the "Docker Quickstart Terminal" if you are on windows, to ensure you have the appropriate environment. The "$" is the prompt, don't paste that part. You may want to issue a
$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default Folks that are trying to use --tls-cert, --tls-key and --tls-ca-cert are using incorrect options. Those are for authentication between the docker client and server. The only point I would like to make is that the filesystems in /etc are not "immutable" really, they are actually "ephemeral" (tmpfs), meaning they will go away for each reboot. The information in /var/lib/boot2docker/certs will be repopulated into the correct place in /etc/docker/certs... Anyhow, it would be nice if the docker-machine would automatically trust any certs that the host system trusts. |
For those who maybe left this solution thinking it would only work for the boot2docker setup and not the Docker for Windows (Hyper-V) setup, this (@rpomeroy's solution) also appears to work perfectly. I must have read this thread half a dozen times and dismissing it because it wasn't specific to the Docker for Windows environment. @rpomeroy's solution works for both boot2docker and Docker for Windows. |
I uploaded my company .cer certificates inside the /etc/pki/ca-trust/source/anchors directory of my docker container and entered below commands. update-ca-trust enable After doing above steps i could get the required output from curl |
Just chiming in.. Looks like adding both of these mounts on your container seems to work with most configurations:
Windows is another story..I would avoid using a Windows Docker host if possible. |
Commonly, company's root CA certificate are installed by IT on developpers machines and servers (They not come with the OS). When using docker machine with local VMs (virtualbox), do we need to install the company root CA certificate on the VM to talk with a docker registry hosted on the company's network ?
I'm wondering what is the recommanded way to install CA certificate on my local VM? Seems to be a beginning of answer here but nothing convincing/proper.
And if there are intermediate company CAs, what's the recommended way ? Bundle all the certs ?
The text was updated successfully, but these errors were encountered: