Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hostname in server cert doesn't contain internal IP #13922

rhuss opened this issue Jun 13, 2015 · 4 comments

Hostname in server cert doesn't contain internal IP #13922

rhuss opened this issue Jun 13, 2015 · 4 comments


Copy link

@rhuss rhuss commented Jun 13, 2015

When I try to contact the docker host from within a container via the its gateway IP obtained via

 host=$(ip route show | grep -Eo 'via \S+' | awk '{print $2}');

and using SSL I get this error message

hostname in certificate didn't match: <> != <> OR 
<> OR <>

I'm not so deep into the docker network stack, but couldn't it be possible to include the internal gateway IPs into the generated server certificate as well ?

Copy link
Contributor Author

@rhuss rhuss commented Jun 13, 2015

  • Docker version: 1.6.2
  • Docker info:
Containers: 12
Images: 274
Storage Driver: aufs
 Root Dir: /mnt/sda1/var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 298
 Dirperm1 Supported: true
Execution Driver: native-0.2
Kernel Version: 4.0.2-boot2docker
Operating System: Boot2Docker 1.6.1 (TCL 5.4); master : 43209d4 - Thu May  7 22:06:28 UTC 2015
CPUs: 8
Total Memory: 1.957 GiB
Name: boot2docker
Debug mode (server): true
Debug mode (client): false
Fds: 19
Goroutines: 34
System Time: Sat Jun 13 00:01:45 UTC 2015
EventsListeners: 0
Init SHA1: 2dabfc43e5f856a0712787a6ff78ceaf791cc9e7
Init Path: /usr/local/bin/docker
Docker Root Dir: /mnt/sda1/var/lib/docker
Username: jolokia
Registry: []
  • Additional Info: Docker is running in boot2docker

Steps to reproduce:

  • Enabcle TCP listening on the docker daemon and SSL
  • Start a container with an internal docker client (e.g. jolokia/docker-reveal) and mount your client certs as volumes (e.g. docker run -ti -v ~/.boot2docker/certs/boot2docker-vm/:/certs jolokia/docker-reveal sh)
  • Run
host=$(ip route show | grep -Eo 'via \S+' | awk '{print $2}');
export DOCKER_HOST=tcp://${host}:2376
export DOCKER_CERT_PATH=/path/to/certs
  • Then try a docker command within this container (e.g. like docker images)
  • Result:
/slides # docker images
FATA[0000] An error occurred trying to connect: Get 
x509: certificate is valid for,,, not

I would expect that the internal ip would be included in the server cert that the docker daemon uses.

Copy link

@jamshid jamshid commented Jul 26, 2015

Agreed, would be great if there were a docker client option like DOCKER_TLS_VERIFY but it should not validate that the hostname/ip matches the cert. I know that's usually not a good idea but seems okay here because the client is providing the cert that is expected, so it's not susceptible to MitM.

In my case I'm trying to configure a jenkins container to use the docker server on which it's running. Would simply share /var/run/docker.sock to the container, but that doesn't work with the jenkins user for some strange reason. And I don't want to change the docker server configuration (

Copy link

@ChrisPearce ChrisPearce commented Aug 31, 2015

It would be very helpful if the internal ip was included in the server cert

Copy link

@Sigurthorb Sigurthorb commented Jan 6, 2016

Hey, I think this is connected to my issue #19112 can you verify that this is the issue that I am having?
If i am reading this correctly though it seems that this is the other way around, my cert is registered on the internal static ip of my server instead of my host name(external network ID)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants