docker for mac (native, not boot to docker): private registry certificate not trusted

[cjw296]

---

BUG REPORT INFORMATION

Output of docker version:

$ docker --version
Docker version 1.11.1, build 5604cbe

Docker for Mac version is Version 1.11.1-beta11 (build: 6974) 37559e5f6acd56a4810963acc7001e88f2d88017

Output of docker info:

$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 1.11.1
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 0
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge null host
Kernel Version: 4.4.9-moby
Operating System: Alpine Linux v3.3
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 1.954 GiB
Name: moby
ID: FG7W:RI4N:HCY4:5X3H:NNYO:VEEG:IMJC:D6AV:IVEM:2TNG:VQUK:WS6L
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 16
 Goroutines: 40
 System Time: 2016-05-16T12:36:24.498998148Z
 EventsListeners: 1
Registry: https://index.docker.io/v1/

Additional environment details (AWS, VirtualBox, physical, etc.):

We use a private registry that has an SSL cert that is signed by our internal CA.
This certificate authority is globally installed into the system keychain on mac and linux desktops.

Steps to reproduce the issue:

1. curls works fine:

$ curl https://<redacted>.com/v1/_ping
true

1. Any docker commands do not:

$ docker pull <redacted>.com/<redacted>
Error response from daemon: Get https://<redacted>.com/v1/_ping: x509: certificate signed by unknown authority

Describe the results you received:

x509: certificate signed by unknown authority

Describe the results you expected:

Certificate to be accepted as the CA's cert has been installed system-wide.

Additional information you deem important (e.g. issue happens only occasionally):

docker works file on our Linux desktops, which similarly have the CA's cert globally installed.

[cjw296]

This workaround to send the registry to be insecure worked for me:

https://forums.docker.com/t/how-to-run-a-insecure-registry/9692

...but I guess this bug becomes "Docker for Mac" should use the system certificate store for certificates to trust.

[cpuguy83]

Yes indeed, this is a known issue on the docker4mac team.
Closing as this is being tracked in the docker4mac project.

[cjw296]

@cpuguy83 - where can I look at the docker4mac project?

[cpuguy83]

It's currently private.

[cjw296]

Ah well, hope it's public soon :-)

[joedragons]

@cpuguy83 is this the project? https://github.com/docker/for-mac I am not seeing this corresponding issue there, but maybe my search-fu is weak.

[thaJeztah]

@joedragons that repository only holds an issue tracker for Docker for Mac. Components of Docker for Mac have been open sourced (see https://github.com/docker/for-mac#component-projects), but some parts are not

[joedragons]

@thaJeztah Thanks. I am also having the issue listed here and wanted to make sure it's still open and not just me. It seems weird to me to close a public issue when there's a private issue giving users no indication if it's fixed or not. But I admit some bias in this regard=)

[thaJeztah]

@joedragons the public issue tracker was opened recently, after Docker for Mac came out of beta; please check if there's an open issue there, otherwise feel free to create one

[bitbrain]

I can also reproduce this issue on my machine. I'm using Docker version 1.12.0-a, build 11213.

[alvarow]

+1 please fix this. I rather not blindly trust ...

[justincormack]

This is being worked on currently.

On 2 Sep 2016 6:19 p.m., "Álvaro Reguly" notifications@github.com wrote:

+1 please fix this. I rather not blindly trust ...

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#22764 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAdcPJiSMJ6TC6-N4QKxORZopDAD47fEks5qmFqhgaJpZM4IfSkH
.

[alvarow]

Apparently here is the correct ticket to follow: docker/for-mac#343