This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn’t until today been able to work out a solution for Docker. The trick is to add the certificates to Docker’s cert store and have them persist. This is accomplished by using a bootlocal.sh
script that executes every time the machine starts.
I assume if you’ve already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you’ve already done #1 and #2 by way of previous attempts.
-
Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER format and do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem and skip step #2.
-
Once you have them saved to a known location, you will want to convert them to PEM format unless you save as duch. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.
openssl x509 -inform der -in certificate.cer -out certificate.pem
-
Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you’ll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:Usersmy.usernamecerts and copied them there.
-
This step may not be strictly necessary, but it’s what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.
MINGW64:$ docker-machine ssh default docker@default:~$ sudo -s root@default:/home/docker# mkdir /var/lib/boot2docker/certs root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
-
Now it’s time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven’t already, open an SSH connection to the machine, per Step 4.
touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh vi /var/lib/boot2docker/bootlocal.sh
Insert the following and save the file:
#!/bin/sh
mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d
-
Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:
docker-machine restart default
Now you should be able to run ‘hello-world’ and others.
Sources
[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem
[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043
Using the toolbox MINGW64 Bash command
docker-machine ssh default
then docker run hello-world
docker: Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority.
Get the same error when running the same command with the MINGW64 Bash command line.
Also get the same error using MINGW64 with docker login and enter my userID and password:
$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: ****
Password: ****
Error response from daemon: Get https://index.docker.io/v1/users/: x509: certificate signed by unknown authority
This is a new install on Windows 7 Enterprise. No proxy or VPN being used. My docker versions are below:
Client:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 17:00:50 2016
OS/Arch: windows/amd64
Server:
Version: 1.12.3
API version: 1.24
Go version: go1.6.3
Git commit: 6b644ec
Built: Wed Oct 26 23:26:11 2016
OS/Arch: linux/amd64
Here is the docker.log
/usr/local/bin/docker daemon -D -g "/var/lib/docker" -H unix:// -H tcp://0.0.0.0:2376
--label provider=virtualbox
--tlsverify --tlscacert=/var/lib/boot2docker/ca.pem --tlscert=/var/lib/boot2docker/server.pem --tlskey=/var/lib/boot2docker/server-key.pem -s aufs >> "/var/lib/boot2docker/docker.log"
time="2016-12-02T17:40:30.744686465Z" level=debug msg="Trusting 1 certs"
time="2016-12-02T17:40:30.744757096Z" level=debug msg="docker group found. gid: 100"
time="2016-12-02T17:40:30.744773618Z" level=debug msg="Listener created for HTTP on unix (/var/run/docker.sock)"
time="2016-12-02T17:40:30.745164208Z" level=debug msg="Listener created for HTTP on tcp (0.0.0.0:2376)"
time="2016-12-02T17:40:30.749858087Z" level=info msg="libcontainerd: new containerd process, pid: 1403"
time="2016-12-02T17:40:30.751232622Z" level=debug msg="libcontainerd: containerd connection state change: TRANSIENT_FAILURE"
time="2016-12-02T17:40:30.754248386Z" level=debug msg="containerd: read past events" count=0
time="2016-12-02T17:40:30.754312675Z" level=debug msg="containerd: supervisor running" cpus=1 memory=995 runtime=docker-runc runtimeArgs=[] stateDir="/var/run/docker/libcontainerd/containerd"
time="2016-12-02T17:40:30.754433105Z" level=debug msg="containerd: grpc api on /var/run/docker/libcontainerd/docker-containerd.sock"
time="2016-12-02T17:40:31.752647725Z" level=debug msg="Using default logging driver json-file"
time="2016-12-02T17:40:31.752690751Z" level=debug msg="Golang's threads limit set to 6840"
time="2016-12-02T17:40:31.752721505Z" level=debug msg="[graphdriver] trying provided driver "aufs""
time="2016-12-02T17:40:31.756491840Z" level=debug msg="Using graph driver aufs"
time="2016-12-02T17:40:31.756755448Z" level=debug msg="Max Concurrent Downloads: 3"
time="2016-12-02T17:40:31.756769285Z" level=debug msg="Max Concurrent Uploads: 5"
time="2016-12-02T17:40:31.758545195Z" level=info msg="Graph migration to content-addressability took 0.00 seconds"
time="2016-12-02T17:40:31.758669664Z" level=warning msg="Your kernel does not support cgroup blkio weight"
time="2016-12-02T17:40:31.758682044Z" level=warning msg="Your kernel does not support cgroup blkio weight_device"
time="2016-12-02T17:40:31.758984336Z" level=debug msg="Option DefaultDriver: bridge"
time="2016-12-02T17:40:31.758994250Z" level=debug msg="Option DefaultNetwork: bridge"
time="2016-12-02T17:40:31.764196394Z" level=debug msg="Fail to initialize firewalld: Failed to connect to D-Bus system bus: dial unix /var/run/dbus/system_bus_socket: connect: no such file or directory, using raw iptables instead"
time="2016-12-02T17:40:31.764892490Z" level=debug msg="/usr/local/sbin/iptables, [--wait --version]"
time="2016-12-02T17:40:31.765543798Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
time="2016-12-02T17:40:31.772927899Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER]"
time="2016-12-02T17:40:31.773677414Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER]"
time="2016-12-02T17:40:31.774327019Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D PREROUTING]"
time="2016-12-02T17:40:31.774928100Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D OUTPUT]"
time="2016-12-02T17:40:31.775544188Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -F DOCKER]"
time="2016-12-02T17:40:31.776085017Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -X DOCKER]"
time="2016-12-02T17:40:31.776626424Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -F DOCKER]"
time="2016-12-02T17:40:31.777206016Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -X DOCKER]"
time="2016-12-02T17:40:31.777755328Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -F DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.778304247Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -X DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.778845101Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -n -L DOCKER]"
time="2016-12-02T17:40:31.779393672Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -N DOCKER]"
time="2016-12-02T17:40:31.779994206Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -n -L DOCKER]"
time="2016-12-02T17:40:31.780561001Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -N DOCKER]"
time="2016-12-02T17:40:31.781207318Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -n -L DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.781791215Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -N DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.782346071Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C DOCKER-ISOLATION -j RETURN]"
time="2016-12-02T17:40:31.783018224Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I DOCKER-ISOLATION -j RETURN]"
time="2016-12-02T17:40:31.787270767Z" level=warning msg="Could not load necessary modules for IPSEC rules: Running modprobe xfrm_user failed with message: `modprobe: module xfrm_user not found in modules.dep`, error: exit status 1"
time="2016-12-02T17:40:31.787346607Z" level=debug msg="Did not find any interface with name docker0: Link not found"
time="2016-12-02T17:40:31.789910140Z" level=debug msg="Setting bridge mac address to 02:42:0d:c5:90:dc"
time="2016-12-02T17:40:31.789997612Z" level=debug msg="Assigning address to bridge interface docker0: 172.17.0.1/16"
time="2016-12-02T17:40:31.790053336Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
time="2016-12-02T17:40:31.790895486Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -I POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
time="2016-12-02T17:40:31.793281905Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C DOCKER -i docker0 -j RETURN]"
time="2016-12-02T17:40:31.793927677Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -I DOCKER -i docker0 -j RETURN]"
time="2016-12-02T17:40:31.794558636Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -i docker0 -o docker0 -j DROP]"
time="2016-12-02T17:40:31.795173446Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.795764807Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -i docker0 -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.796351001Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.796938536Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.797557497Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
time="2016-12-02T17:40:31.798218826Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
time="2016-12-02T17:40:31.798875539Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
time="2016-12-02T17:40:31.799561268Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
time="2016-12-02T17:40:31.800206353Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
time="2016-12-02T17:40:31.800845743Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
time="2016-12-02T17:40:31.801556457Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.802147116Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.802737882Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -j DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.803331101Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -j DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.804007143Z" level=debug msg="Network (769a472) restored"
time="2016-12-02T17:40:31.817909885Z" level=debug msg="Allocating IPv4 pools for network bridge (769a4727f21c2c93bc5ab0d73b2221bf589b61d72286703044df82dff4404bdb)"
time="2016-12-02T17:40:31.817936450Z" level=debug msg="RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)"
time="2016-12-02T17:40:31.817963419Z" level=debug msg="RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])"
time="2016-12-02T17:40:31.818944639Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
time="2016-12-02T17:40:31.819794283Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
time="2016-12-02T17:40:31.820419933Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C DOCKER -i docker0 -j RETURN]"
time="2016-12-02T17:40:31.821095012Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -D DOCKER -i docker0 -j RETURN]"
time="2016-12-02T17:40:31.821706584Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.822306310Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -i docker0 -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.822917846Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.823555089Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.824172614Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
time="2016-12-02T17:40:31.824865567Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
time="2016-12-02T17:40:31.825579043Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.826190711Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.826793517Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.827856201Z" level=debug msg="releasing IPv4 pools from network bridge (769a4727f21c2c93bc5ab0d73b2221bf589b61d72286703044df82dff4404bdb)"
time="2016-12-02T17:40:31.827873323Z" level=debug msg="ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1)"
time="2016-12-02T17:40:31.827889444Z" level=debug msg="ReleasePool(LocalDefault/172.17.0.0/16)"
time="2016-12-02T17:40:31.829420991Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
time="2016-12-02T17:40:31.829449564Z" level=debug msg="Allocating IPv4 pools for network bridge (df4bd823534e55e46fab6700e94d5e3728ae40f7cdf6e4ce9fb523f4ef6a84d6)"
time="2016-12-02T17:40:31.829461383Z" level=debug msg="RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)"
time="2016-12-02T17:40:31.829480436Z" level=debug msg="RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])"
time="2016-12-02T17:40:31.829604904Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
time="2016-12-02T17:40:31.830263211Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -I POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
time="2016-12-02T17:40:31.830897081Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C DOCKER -i docker0 -j RETURN]"
time="2016-12-02T17:40:31.831580401Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -I DOCKER -i docker0 -j RETURN]"
time="2016-12-02T17:40:31.832186563Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -i docker0 -o docker0 -j DROP]"
time="2016-12-02T17:40:31.832832277Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.833438658Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -i docker0 -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.834113557Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.834778734Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
time="2016-12-02T17:40:31.835383516Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
time="2016-12-02T17:40:31.836099155Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
time="2016-12-02T17:40:31.836963236Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
time="2016-12-02T17:40:31.837678997Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
time="2016-12-02T17:40:31.838404700Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
time="2016-12-02T17:40:31.839196159Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
time="2016-12-02T17:40:31.839951001Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.840701682Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -o docker0 -j DOCKER]"
time="2016-12-02T17:40:31.841384288Z" level=debug msg="/usr/local/sbin/iptables, [--wait -t filter -C FORWARD -j DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.842035782Z" level=debug msg="/usr/local/sbin/iptables, [--wait -D FORWARD -j DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.842667948Z" level=debug msg="/usr/local/sbin/iptables, [--wait -I FORWARD -j DOCKER-ISOLATION]"
time="2016-12-02T17:40:31.844980088Z" level=info msg="Daemon has completed initialization"
time="2016-12-02T17:40:31.845016496Z" level=info msg="Docker daemon" commit=6b644ec graphdriver=aufs version=1.12.3
time="2016-12-02T17:40:31.845082732Z" level=debug msg="Registering routers"
time="2016-12-02T17:40:31.845090452Z" level=debug msg="Registering HEAD, /containers/{name:.*}/archive"
time="2016-12-02T17:40:31.845196210Z" level=debug msg="Registering GET, /containers/json"
time="2016-12-02T17:40:31.845249996Z" level=debug msg="Registering GET, /containers/{name:.*}/export"
time="2016-12-02T17:40:31.845332988Z" level=debug msg="Registering GET, /containers/{name:.*}/changes"
time="2016-12-02T17:40:31.845405539Z" level=debug msg="Registering GET, /containers/{name:.*}/json"
time="2016-12-02T17:40:31.845461108Z" level=debug msg="Registering GET, /containers/{name:.*}/top"
time="2016-12-02T17:40:31.845590507Z" level=debug msg="Registering GET, /containers/{name:.*}/logs"
time="2016-12-02T17:40:31.845654350Z" level=debug msg="Registering GET, /containers/{name:.*}/stats"
time="2016-12-02T17:40:31.845718392Z" level=debug msg="Registering GET, /containers/{name:.*}/attach/ws"
time="2016-12-02T17:40:31.845782209Z" level=debug msg="Registering GET, /exec/{id:.*}/json"
time="2016-12-02T17:40:31.845841816Z" level=debug msg="Registering GET, /containers/{name:.*}/archive"
time="2016-12-02T17:40:31.845906266Z" level=debug msg="Registering POST, /containers/create"
time="2016-12-02T17:40:31.845956564Z" level=debug msg="Registering POST, /containers/{name:.*}/kill"
time="2016-12-02T17:40:31.846072344Z" level=debug msg="Registering POST, /containers/{name:.*}/pause"
time="2016-12-02T17:40:31.846142240Z" level=debug msg="Registering POST, /containers/{name:.*}/unpause"
time="2016-12-02T17:40:31.846203895Z" level=debug msg="Registering POST, /containers/{name:.*}/restart"
time="2016-12-02T17:40:31.846274390Z" level=debug msg="Registering POST, /containers/{name:.*}/start"
time="2016-12-02T17:40:31.846335739Z" level=debug msg="Registering POST, /containers/{name:.*}/stop"
time="2016-12-02T17:40:31.846397909Z" level=debug msg="Registering POST, /containers/{name:.*}/wait"
time="2016-12-02T17:40:31.846455319Z" level=debug msg="Registering POST, /containers/{name:.*}/resize"
time="2016-12-02T17:40:31.846581902Z" level=debug msg="Registering POST, /containers/{name:.*}/attach"
time="2016-12-02T17:40:31.846648077Z" level=debug msg="Registering POST, /containers/{name:.*}/copy"
time="2016-12-02T17:40:31.846703368Z" level=debug msg="Registering POST, /containers/{name:.*}/exec"
time="2016-12-02T17:40:31.846757547Z" level=debug msg="Registering POST, /exec/{name:.*}/start"
time="2016-12-02T17:40:31.855298945Z" level=debug msg="Registering POST, /exec/{name:.*}/resize"
time="2016-12-02T17:40:31.855476145Z" level=debug msg="Registering POST, /containers/{name:.*}/rename"
time="2016-12-02T17:40:31.855680517Z" level=debug msg="Registering POST, /containers/{name:.*}/update"
time="2016-12-02T17:40:31.855823007Z" level=debug msg="Registering PUT, /containers/{name:.*}/archive"
time="2016-12-02T17:40:31.855965910Z" level=debug msg="Registering DELETE, /containers/{name:.*}"
time="2016-12-02T17:40:31.856156286Z" level=debug msg="Registering GET, /images/json"
time="2016-12-02T17:40:31.856248747Z" level=debug msg="Registering GET, /images/search"
time="2016-12-02T17:40:31.856338764Z" level=debug msg="Registering GET, /images/get"
time="2016-12-02T17:40:31.856428471Z" level=debug msg="Registering GET, /images/{name:.*}/get"
time="2016-12-02T17:40:31.856609363Z" level=debug msg="Registering GET, /images/{name:.*}/history"
time="2016-12-02T17:40:31.856737561Z" level=debug msg="Registering GET, /images/{name:.*}/json"
time="2016-12-02T17:40:31.856858547Z" level=debug msg="Registering POST, /commit"
time="2016-12-02T17:40:31.856932825Z" level=debug msg="Registering POST, /images/load"
time="2016-12-02T17:40:31.857067111Z" level=debug msg="Registering POST, /images/create"
time="2016-12-02T17:40:31.857171220Z" level=debug msg="Registering POST, /images/{name:.*}/push"
time="2016-12-02T17:40:31.857289494Z" level=debug msg="Registering POST, /images/{name:.*}/tag"
time="2016-12-02T17:40:31.857408848Z" level=debug msg="Registering DELETE, /images/{name:.*}"
time="2016-12-02T17:40:31.857600539Z" level=debug msg="Registering OPTIONS, /{anyroute:.*}"
time="2016-12-02T17:40:31.857700202Z" level=debug msg="Registering GET, /_ping"
time="2016-12-02T17:40:31.857773927Z" level=debug msg="Registering GET, /events"
time="2016-12-02T17:40:31.857843765Z" level=debug msg="Registering GET, /info"
time="2016-12-02T17:40:31.857908064Z" level=debug msg="Registering GET, /version"
time="2016-12-02T17:40:31.858001946Z" level=debug msg="Registering POST, /auth"
time="2016-12-02T17:40:31.858134328Z" level=debug msg="Registering GET, /volumes"
time="2016-12-02T17:40:31.858215934Z" level=debug msg="Registering GET, /volumes/{name:.*}"
time="2016-12-02T17:40:31.858338159Z" level=debug msg="Registering POST, /volumes/create"
time="2016-12-02T17:40:31.858435864Z" level=debug msg="Registering DELETE, /volumes/{name:.*}"
time="2016-12-02T17:40:31.858623798Z" level=debug msg="Registering POST, /build"
time="2016-12-02T17:40:31.858699227Z" level=debug msg="Registering POST, /swarm/init"
time="2016-12-02T17:40:31.858782830Z" level=debug msg="Registering POST, /swarm/join"
time="2016-12-02T17:40:31.858882884Z" level=debug msg="Registering POST, /swarm/leave"
time="2016-12-02T17:40:31.858975348Z" level=debug msg="Registering GET, /swarm"
time="2016-12-02T17:40:31.859090616Z" level=debug msg="Registering POST, /swarm/update"
time="2016-12-02T17:40:31.859185927Z" level=debug msg="Registering GET, /services"
time="2016-12-02T17:40:31.859271129Z" level=debug msg="Registering GET, /services/{id:.*}"
time="2016-12-02T17:40:31.859392667Z" level=debug msg="Registering POST, /services/create"
time="2016-12-02T17:40:31.859498568Z" level=debug msg="Registering POST, /services/{id:.*}/update"
time="2016-12-02T17:40:31.860487935Z" level=debug msg="Registering DELETE, /services/{id:.*}"
time="2016-12-02T17:40:31.860600622Z" level=debug msg="Registering GET, /nodes"
time="2016-12-02T17:40:31.860638114Z" level=debug msg="Registering GET, /nodes/{id:.*}"
time="2016-12-02T17:40:31.860689203Z" level=debug msg="Registering DELETE, /nodes/{id:.*}"
time="2016-12-02T17:40:31.860739964Z" level=debug msg="Registering POST, /nodes/{id:.*}/update"
time="2016-12-02T17:40:31.860791527Z" level=debug msg="Registering GET, /tasks"
time="2016-12-02T17:40:31.860823214Z" level=debug msg="Registering GET, /tasks/{id:.*}"
time="2016-12-02T17:40:31.860872242Z" level=debug msg="Registering GET, /networks"
time="2016-12-02T17:40:31.860907071Z" level=debug msg="Registering GET, /networks/{id:.*}"
time="2016-12-02T17:40:31.860959816Z" level=debug msg="Registering POST, /networks/create"
time="2016-12-02T17:40:31.861000434Z" level=debug msg="Registering POST, /networks/{id:.*}/connect"
time="2016-12-02T17:40:31.861149382Z" level=debug msg="Registering POST, /networks/{id:.*}/disconnect"
time="2016-12-02T17:40:31.861212449Z" level=debug msg="Registering DELETE, /networks/{id:.*}"
time="2016-12-02T17:40:31.861470361Z" level=info msg="API listen on [::]:2376"
time="2016-12-02T17:40:31.861560675Z" level=info msg="API listen on /var/run/docker.sock"
time="2016-12-02T17:40:33.751508859Z" level=debug msg="libcontainerd: containerd connection state change: READY"
time="2016-12-02T17:40:47.157118325Z" level=debug msg="Calling POST /v1.24/containers/create"
time="2016-12-02T17:40:47.157318825Z" level=debug msg="form data: {"AttachStderr":true,"AttachStdin":false,"AttachStdout":true,"Cmd":null,"Domainname":"","Entrypoint":null,"Env":[],"HostConfig":{"AutoRemove":false,"Bind
time="2016-12-02T17:40:47.157354807Z" level=debug msg="Client and server don't have the same version (client: 1.12.2, server: 1.12.3)"
time="2016-12-02T17:40:47.158018832Z" level=error msg="Handler for POST /v1.24/containers/create returned error: No such image: hello-world:latest"
time="2016-12-02T17:40:47.168659719Z" level=debug msg="Calling GET /v1.24/info"
time="2016-12-02T17:40:47.168702458Z" level=debug msg="Client and server don't have the same version (client: 1.12.2, server: 1.12.3)"
time="2016-12-02T17:40:47.175273487Z" level=debug msg="Calling POST /v1.24/images/create?fromImage=hello-world&tag=latest"
time="2016-12-02T17:40:47.175301389Z" level=debug msg="Client and server don't have the same version (client: 1.12.2, server: 1.12.3)"
time="2016-12-02T17:40:47.175394394Z" level=debug msg="Trying to pull hello-world from https://registry-1.docker.io v2"
time="2016-12-02T17:40:47.267928949Z" level=warning msg="Error getting v2 registry: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority"
time="2016-12-02T17:40:47.267962791Z" level=error msg="Attempting next endpoint for pull after error: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority"
time="2016-12-02T17:40:47.267980757Z" level=debug msg="Trying to pull hello-world from https://index.docker.io v1"
time="2016-12-02T17:40:47.268000661Z" level=debug msg="hostDir: /etc/docker/certs.d/docker.io"
time="2016-12-02T17:40:47.268523687Z" level=debug msg="[registry] Calling GET https://index.docker.io/v1/repositories/library/hello-world/images"
time="2016-12-02T17:40:47.343322233Z" level=error msg="Not continuing with pull after error: Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority"
Ok here is what I don’t understand, you can see in the beginning of the log it is using 0.0.0.0:2376 for the docker VM. When I run docker-machine ls
I see this:
$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS
default * virtualbox Running tcp://192.168.99.100:2376 v1.12.3
According boot2docker you are suppose to use hostname however it looks like two different IP addresses are being used. What should be used?
Stuck with a docker error certificate signed by unknown authority? We can help you fix it.
Here at Bobcares, we have seen several causes for this error while troubleshooting Docker issues as part of our Docker Hosting Support for Docker users, web hosts, and online service providers.
Today we’ll take a look at the cause for this error and how to fix it.
What causes the docker error certificate signed by an unknown authority to occur
Now let’s see the root cause for this error to occur.
If there is no trusted certificate enabled such as the default self-signed certificate generated by DTR then this error occurs.
Or if cert was not provided during installation then it leads to this error message.
How we tackle the docker error certificate signed by unknown authority
A customer was trying to pull a docker image from a docker registry which leads to this error message.
Now let’s see how our Support Engineers tackle this error.
Here first, we need to restart the docker so that it detects the change in OS certificates.
Docker has an additional location that we can use to trust individual registry server CA.
We place the CA cert inside /etc/docker/certs.d//ca.crt. Also, we include the port number if we want to specify that in the image tag, e.g.
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
Another solution to this error is
We create a file /etc/docker/daemon.json and add insecure-registries
{
"insecure-registries" : ["docker.domain.com:443"]
}
We restart docker daemon by running the command
systemctl restart docker
Then we create a directory with the same name as the host.
mkdir -p /etc/docker/certs.d/docker.domain.com
Finally, get the certificate and save it to the created directory.
ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | openssl s_client -showcerts -connect docker.domain.com:443) -scq > /etc/docker/certs.d/docker.domain.com/docker_registry.crt
This must fix the error.
[Need any further assistance in fixing Docker errors? – We’re available 24*7]
Conclusion
In short, this Docker error occurs if there is no trusted certificate enabled. Today, we saw the resolution to this error.
Are you using Docker based apps?
There are proven ways to get even more out of your Docker containers! Let us help you.
Spend your time in growing business and we will take care of Docker Infrastructure for you.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;
X.509 digital certificates are a fantastically secure method of authentication, but they require a little more infrastructure to support than your typical username and password credentials. A frequent error encountered by users attempting to configure and install their own certificates is:
“X.509 Certificate Signed by Unknown Authority”
This article is going to break down the most likely reasons you’ll find this error code, as well as suggest some digital certificate best practices so you can avoid it in the future.
Cause of X.509 Certificate Error
By far, the most common reason to receive the “X.509 Certificate Signed by Unknown Authority” error is that you’ve attempted to use a self-signed certificate in a scenario that requires a trusted CA-signed certificate. Most of the examples we see in the field are self-signed SSL certs being installed to enable HTTPS on a website.
While self-signed certificates certainly have their place, they are inappropriate to use for public-facing operations (like a website on the internet). Typically, public-facing certificates are signed by a public Certificate Authority (CA) that is recognized and trusted by major internet browsers and operating systems. This system makes intuitive sense, would you rather trust someone you’ve never heard of before or someone that is being vouched for by other ‘people’ you already trust?
Self-signed certificates are only really useful in a few scenarios, such as intranet, home-use, and testing purposes.
You probably still need to sort out that HTTPS, so here’s what you need to do.
Solution for “Certificate Signed by Unknown Authority”
This may not be the answer you want to hear, but it’s been staring at you the whole time – get your certificate signed by a known authority. In other words, acquire a certificate from a public certificate authority.
Depending on your use case, you have options.
If you do simply need an SSL certificate to enable HTTPS, there are free options to get your trust certificate. Your web host can likely sort it out for you, or you can go to a service like LetsEncrypt for free trusted SSL certs.
In some cases, it makes sense to buy a trusted certificate from a public CA like Digicert. If you need to digitally sign an important document or codebase to ensure it’s tamperproof, or perhaps for authentication to some service, that’s the way to go.
Note that using self-signed certs in public-facing operations is hugely risky. It’s trivial for bad actors to inspect a certificate, and self-signed certificates are a skeleton key for the holder that could allow nearly unfettered access, depending on the configuration.
Fortunately, there are solutions if you really do want to create and use certificates in-house. In fact, it’s an excellent idea since certificates can be used to authenticate to Wi-Fi, VPN, desktop login, and all sorts of applications in a very secure manner.
Managed PKI for Effective Certificate Management and Creation
For most organizations, working with a 3rd party that manages a PKI for you is the best combination of affordability and manageability. SecureW2 is a managed PKI vendor that’s totally vendor neutral, meaning it can integrate into your network and leverage the existing components with no forklift upgrades.
What’s more, if your organization is stuck with on-prem infrastructure like Active Directory, SecureW2’s PKI can upgrade your infrastructure to become a modern cloud network replete with the innumerable benefits of cloud computing like easy configuration, no physical installation, lower management costs over time, future-proofed, built-in redundancy and resiliency, etc.
Our comprehensive management tools allow for a huge amount of flexibility for admins. It provides a centralized place to manage the entire certificate lifecycle from generation to distribution, and even supports auto-revocation features that can be extended to MDMs like Jamf or Intune. The intuitive single-pane management interface includes advanced reporting and analytics with complementary AI-assisted anomaly detection to keep you safe even while you sleep.
Certificates distributed from SecureW2’s managed PKI can be used for SSL, S/MIME, RADIUS authentication, VPN, web app authentication, and more. If this is your first foray into using certificates and you’re unsure where else they might be useful, you ought to chat with our experienced support engineers.
Overall, a managed PKI simplifies the certificate experience and takes the burden of complex management, certificate configuration, and distribution off of your shoulders so you can focus on what matters. Check out SecureW2’s pricing page to see if a managed PKI solution can simplify your certificate management experience and eliminate x509 errors.
Fixing Self-Signed Certificates in Docker
A bunch of the support requests that come in regarding “Certificate Signed by Unknown Authority” seem to be rooted in users misconfiguring Docker, so we’ve included a short troubleshooting guide below:
Docker is a platform-as-a-service vendor that provides tools and resources to simplify app development. It’s an excellent tool that’s utilized by anyone from individuals and small businesses to large enterprises.
Unfortunately, some with a lack of understanding of digital certificates and how they work accidentally use self-signed certificates with Docker. As discussed above, this is an app-breaking issue for public-facing operations. If a user attempts to use a self-signed certificate, they will experience the x509 error indicating that they lack trusted certificates.
Some smaller operations may not have the resources to utilize certificates from a trusted CA. Configuring, provisioning, and managing certificates is no simple endeavor and can be costly if improperly handled. Of course, if an organization needs to use certificates for a publicly used app, their hands are tied. What is the best option available to add an easy-to-use certificate authority that can be used to check against and certify SSL connections?
Solutions for “x509 Certificate Signed by Unknown Authority” in Docker
- Perhaps the most direct solution to the issue of invalid certificates is to purchase an SSL certificate from a public CA. Public CAs, such as Digicert and Entrust, are recognized by major web browsers and as legitimate. This is codified by including them in the root store of devices and browsers, a preconfigured list of trusted root certificates.
- If you’d prefer to continue down the path of DIY, check out this Docker forum post detailing a successful attempt to configure your own CA and issue certificates from it. You’ll still end up with self-signed certs inappropriate for SSL, but the error should be resolved.
Введение
Если вы хотите извлечь контейнер из реджестри Docker и обнаружили ошибку: « Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority», тогда мы надеемся Это руководство поможет вам решить проблему.
Мы предполагаем, что у вас есть готовые SSL-сертификаты, потому что это руководство не распространяется на создание SSL-сертификатов.
Шаг 1: Установите CA-certificates
Я работаю на сервере CentOS 7.
Запустите следующую команду, чтобы установить ca-certificates
sudo yum check-update ca-certificates; (($?==100)) && sudo yum update ca-certificates || sudo yum -y reinstall ca-certificates
Шаг 2: Создайте каталог в /etc/docker/certs.d
Docker рекомендует разместить сертификаты в /etc/docker/certs.d.
Если вы используете личный реджестри, следуйте этому стилю.
sudo mkdir -p /etc/docker/certs.d/registry-1.docker.io:443
Шаг 3: Скопируйте SSL-сертификаты
Теперь скопируйте ваши SSL-сертификаты в созданный каталог.
sudo cp CA.crt registry-1.docker.io:443/
sudo cp server.crt registry-1.docker.io:443/
sudo cp server.key registry-1.docker.io:443/
Шаг 4: Перезапустите Docker
Перезапустите сервис Docker
sudo systemctl restart docker
И теперь вы должны быть в состоянии подтянуть свои образы
$ sudo docker pull alpine Using default tag: latest latest: Pulling from library/alpine 89d9c30c1d48: Extracting [=============> ]
Problem scenario
When you use docker login
from a client server and you are challenged for credentials. But after you enter the password and press enter you get this error: «Error response from daemon: Get https://: x509: certificate signed by unknown authority»
You do not login to the Docker registry. How do you get around this problem so you can log into the Docker registry?
Solution
Use one solution or the other. Do not use both solutions!
Possible solution #1(less secure method; good for when no one else has access to the Docker registry server and it is just for learning)
1. On the client server back up /etc/default/docker (if it is an important server or if you are very concerned). Then modify this file.
Add this line to the file (but replace «FQDNofDockerRegistryServer» with the FQDN of the Docker registry server):
DOCKER_OPTS="--insecure-registry FQDNofDockerRegistryServer:443"
2. Restart the Docker services on this client:
sudo service docker restart
3. Now try docker login
again.
Possible solution #2(more secure method; preferable when you have access to the Docker registry server)
1. On the client server back up /etc/ssl/certs/ca-certificates.crt
2. Copy from the Docker registry server this file: /etc/ssl/certs/ca-certificates.crt
3. On the client server, delete the /etc/ssl/certs/ca-certificates.crt file. Place a copy from the Docker registry server and put it on the client server in the same location and name as you just deleted it. In other words overwrite the original /etc/ssl/certs/ca-certificates.crt file on the client server with a copy from the Docker registry server.
4. Restart the Docker services on this client: sudo service docker restart
5. Now try docker login
again.
Solution for Docker Registry Error: certificate signed by unknown authority
Solution for Docker Registry Error: certificate signed by unknown authority
If you are running a private Docker Registry, the Docker ecosystem makes it very difficult to run without SSL in place. Even thought the out-of-the-box Docker Registry container runs without SSL, over HTTP, many things won’t work properly, or at least easily, without installing SSL certificates.
You can learn how to configure the registry server docker container to use your SSL certs here: https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry
If, like me, you are using self-signed SSL certificates, then docker will still complain about the certificates being signed by unknown authority. You will get errors on push and pull actions that look like this:
x509: certificate signed by unknown authority
If you can, I strongly recommend using a SSL certificate issued by a major certificate authority as it will save you a lot of headaches. If you can’t, you’ll need to tell any Docker engine which connects to the Docker Registry that the Registry can be trusted even though it’s not “secure” (due to the self signed SSL certs).
You can, in theory, add your certs or your personal CA to the trusted store of your servers, and docker images (if you’re doing any Docker-in-Docker), but for me it was much easier to simply tell docker to trust the Registry.
You’ll need to add an entry to /etc/docker/daemon.json. If the file doesn’t exist, you can create it. Then add the following:
{ "insecure-registries" : ["server.hostname.com:5443"] }
Replace “server.hostname.com” with your Docker Registry instance hostname, and the port “5443”, with the port your Docker Registry is running on.
Then restart the docker daemon:
service docker restart
Now your registry commands should work without errors!!!
Share This Story, Choose Your Platform!
Related Posts
Page load link
Go to Top