Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge docker's and system's CA certificates #19

Closed
h0tbird opened this issue Jun 7, 2016 · 4 comments
Closed

Merge docker's and system's CA certificates #19

h0tbird opened this issue Jun 7, 2016 · 4 comments
Assignees
@h0tbird
Labels
bug
Milestone
v0.1.0

Comments

@h0tbird
Copy link
Member

h0tbird commented Jun 7, 2016

Check this task and comment to understand why this is needed.
@h0tbird h0tbird added the bug label Jun 7, 2016
@h0tbird h0tbird added this to the v0.1.0 milestone Jun 7, 2016
@h0tbird h0tbird self-assigned this Jun 7, 2016
@h0tbird h0tbird changed the title Merge docker's and system's CA certificate Merge docker's and system's CA certificates Jun 7, 2016
@h0tbird
Copy link
Member Author

h0tbird commented Jun 8, 2016

This seems to permanently fix the issue:

sudo cp /etc/docker/certs.d/internal-registry-sys.marathon:5000/ca.crt /etc/ssl/certs/cell-1.dub.pem                                     
sudo update-ca-certificates
sudo rm -rf /etc/docker/certs.d/internal-registry-sys.marathon:5000
sudo systemctl restart docker

@h0tbird
Copy link
Member Author

h0tbird commented Jun 8, 2016
edited
Loading

I think this systemd unit must be modified to enable the certificate rehashing:

core@worker-1 ~ $ systemctl cat update-ca-certificates.service 
# /usr/lib64/systemd/system/update-ca-certificates.service
[Unit]
Description=Update CA bundle at /etc/ssl/certs/ca-certificates.crt
# Since other services depend on the certificate store run this early
DefaultDependencies=no
Wants=systemd-tmpfiles-setup.service clean-ca-certificates.service
After=systemd-tmpfiles-setup.service clean-ca-certificates.service
Before=sysinit.target
ConditionPathIsReadWrite=/etc/ssl/certs
# Do nothing if update-ca-certificates has never been run before
ConditionPathIsSymbolicLink=!/etc/ssl/certs/ca-certificates.crt

[Service]
Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates --skip-rehash

@h0tbird
Copy link
Member Author

h0tbird commented Jun 9, 2016

http://serverfault.com/a/782936/359718

@h0tbird
Copy link
Member Author

h0tbird commented Jul 20, 2016

Fixed by ee51132

@h0tbird h0tbird closed this as completed Jul 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h0tbird h0tbird

Labels
bug
Projects
None yet
Milestone
v0.1.0
Development

No branches or pull requests
1 participant
@h0tbird