Machine: Recommended way to install CA certificate on local VM docker machine

Created on 3 Sep 2015  ·  34Comments  ·  Source: docker/machine

Commonly, company's root CA certificate are installed by IT on developpers machines and servers (They not come with the OS). When using docker machine with local VMs (virtualbox), do we need to install the company root CA certificate on the VM to talk with a docker registry hosted on the company's network ?

I'm wondering what is the recommanded way to install CA certificate on my local VM? Seems to be a beginning of answer here but nothing convincing/proper.

And if there are intermediate company CAs, what's the recommended way ? Bundle all the certs ?

areidentity

Most helpful comment

This took a lot of digging and the solution is embarrassingly simple (but not obvious). And there are a couple things to note. The answer was here - but you have to read past the code section to the alternative approach.

Basically, copy pem (Base64 encoded) versions of your CA trust chain into /var/lib/boot2docker/certs/. You can't use ca bundles. The boot2docker boot script will automatically pick up pem files there and add them to the ssl config. Also, this is a special directory and will be preserved across restarts.

$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default 

This should be simpler so I support (#1799). Furthermore, we should be able to specify a directory full of pem files so adding multiple certs (as in whole trust chains) is easy.

All 34 comments

I'd also like to know this. I've followed the procedure (https://docs.docker.com/articles/https/) to create a new CA and certificates. I've tried putting files /var/lib/boot2docker and /var/lib/boot2docker/tls but having trouble with the /etc/init.d/docker start script overwriting the certificate I've generated.

I've looked into this a bit more and it looks like docker-machine will overwrite anything in the host .docker/machines/machine/default with certificates it generates. It also replaces files in the boot2docker vm in /var/lib/boot2docker. It is possible to login and replace files in the vm and update /var/lib/boot2docker/profile but this is also replaced on startup (not sure by what, but possibly by 'docker-machine env default').

@oobles you should be able to use the --tls-ca-cert, --tls-cert and --tls-key options to specify existing certificates.

When using docker-machine --tls-ca-cert=my_company_ca.pem create --driver virtualbox vm, the command fails into:

Error creating machine: error generating server cert: crypto/tls: private key does not match public key

The point here (and I guess in most companies) is i can't give the --tls-ca-key option because I do not manage the company CA, so I do not know the private key.

What am i missing here ? Are those options only usefull for people managing their own CA, signing their own certifcates ?

I just want my docker client (on my VM) to docker login onto our company registry which shows a certifcate signed by the company CA.

Any help ?

Same problem here any improvements?

+1. Same problem in our organisation.

The way I work around the situation was:
On the Registry Server:

  1. create the self signed certificates as state in the docker documentation.
  2. create a .pem file concatenating the key and cert file

On the Docker Machine:

  1. copy via scp the pem file to your [email protected]:/home/docker
  2. via ssh [email protected] (password: tcuser) move the pem file to: /var/lib/boot2docker/certs/
  3. Restart Docker machine

My containers builds hit unable to find valid certification when downloading from https connection. My company uses an intermediate ZScaler CA root cert & also uses a PAC file to automatically configure the proxy.

+1 on this. If it was possible to re-use existing CA (cert and key) and client certificates (cert and key) it really should be possible to re-use existing TLS infrastructure when deploying certificates to docker engine with docker-machine, e.g.

  • --tls-server-cert
  • --tls-server-key
docker-machine create -d ... \
  --tls-ca-cert cacert.pem \
  --tls-ca-key cacert.key \
  --tls-client-cert local_user.pem \
  --tls-client-key local_user.key \
  --tls-server-cert server.pem \
  --tls-server-key server.key

Error creating machine: Error running provisioning: error generating server cert: crypto/tls: failed to parse private key kicks in for me because cacert.key is password protected.

+1

👍 , as this is a major blocker for us. Our enterprise IT organization puts a custom HTTPS cert on all requests going from inside our corporate firewall to the public internet, so we cannot even contact docker hub for containers without being able to configure these certs correctly.

Has anybody found a solution to this yet? Our enterprise IT does a MitM to replace all HTTPS certs.

When I tried...
docker-machine --tls-ca-cert root.cer create --driver virtualbox default it throws the following error

Error creating machine: Error running provisioning: error generating server cert: crypto/tls: private key does not match public key

I ended up skipping the tls cert at machine creation time. Once creating
the machine:

docker-machine scp certfile default:ca.crt
docker-machine ssh default
sudo mv ~/ca.crt /etc/docker/certs.d/docker.io/ca.crt

Then it should work. You may have to mkdir the subdirectories before the mv
command. Substitute docker.io for an internal registry host if necessary.

On Thursday, August 11, 2016, Andy Ruestow [email protected] wrote:

Has anybody found a solution to this yet? Our enterprise IT does a MitM to
replace all HTTPS certs.

When I tried...
docker-machine --tls-ca-cert root.cer create --driver virtualbox default
it throws the following error

Error creating machine: Error running provisioning: error generating
server cert: crypto/tls: private key does not match public key


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/docker/machine/issues/1799#issuecomment-239175647,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAJD9p1tfX97V_OW4DgJkzxP86URi-C5ks5qezAsgaJpZM4F3GTM
.

+ 1 GE is using Zscaler and doing MitM cert mangling and docker is un-usable from all of our developer machines right now.

+1, trying to solve this right now too.

+1, also trying to solve this in a corporate environment

+1 also corporate environment, proxy does MitM cert mangling. Need a way to install certs.

This took a lot of digging and the solution is embarrassingly simple (but not obvious). And there are a couple things to note. The answer was here - but you have to read past the code section to the alternative approach.

Basically, copy pem (Base64 encoded) versions of your CA trust chain into /var/lib/boot2docker/certs/. You can't use ca bundles. The boot2docker boot script will automatically pick up pem files there and add them to the ssl config. Also, this is a special directory and will be preserved across restarts.

$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default 

This should be simpler so I support (#1799). Furthermore, we should be able to specify a directory full of pem files so adding multiple certs (as in whole trust chains) is easy.

@rpomeroy thanks a lot, I was doing all the same but didn't know that VM restart was needed and due to that was copying the certificate all over the place to make it work

Any fix for Docker for Windows

@rpomeroy Thanks, Is importing the company root ca in our docker machine enough to make our registry accessible? Or do we also need to put stuff in /etc/docker/certs.d/hostname/

As mentioned earlier in the thread, the Linux distro underneath boot2docker is basically immutable so putting stuff in /etc/docker/certs won’t survive. Only the var/lib/boot2docker/certs is mutable and persistent. Note that all this info may need to be re-verified with newer versions of boot2docker.

I'm running Windows 7 + VirtualBox (v5.2.6) +Docker Toolbox (Boot2Docker version 18.02.-ce) and had the same issue.
For example, when trying to run a container I get the following error:
docker run ubuntu /bin/echo 'Hello world'
Unable to find image 'ubuntu:latest' locally
C:\Program Files\Docker Toolboxdocker.exe: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority.
See 'C:\Program Files\Docker Toolboxdocker.exe run --help'.

The following solution worked for me:

  1. Login to the default docker VM
  2. Download your Company root certificates
  3. Create a new dir:
    sudo mkdir /var/lib/boot2docker/certs
  4. Copy your Company root certificates to the newly created folder:
    sudo cp Root-Ca1.crt Root-Ca2.crt /var/lib/boot2docker/certs
  5. Reboot default VM
    Now it's pulling the image :)

@kvvoronina im facing the same problem with you. instead i running docker toolbox on win 8.1
im trying to use your steps. but im using direct connection (means i can't provide any company root certificates in the step 2 & 4). how to solve this ? thanks

Hello,

thanks ghost it's work and i can pulling my image now.
But i can't build image that of this example : https://docs.docker.com/get-started/part2/#build-the-app
iget this error :
Step 4/7 : RUN pip install --trusted-host pypi.python.org -r requirements.txt ---> Running in b700eb53b7b2 Collecting Flask (from -r requirements.txt (line 1)) Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAI LED] certificate verify failed (_ssl.c:726)'),)': /simple/flask/
Do you have an issue for that ?

Ubel, I'm having the same issue, i got images to pull, but i cant build images using the docker get started walk-through. Were you able to overcome the issue?

@cmenjivar : No, I still have the same problem...

@Ubel: I found a solution, in your Dockerfile, just add all 3 hosted python hosts, instead of just one...

RUN pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org -r requirements.txt

@cmenjivar : thanks for your help. it's working for me too.

Now i need to try the same things with nuget package url

Could someone update this for windows host and windows container?

For what its worth, @rpomeroy has the correct answer...

Issue the following commands in the "Docker Quickstart Terminal" if you are on windows, to ensure you have the appropriate environment. The "$" is the prompt, don't paste that part. You may want to issue a cd ~/Downloads to get to your Downloads folder before running the commands below. You can repeat the two middle steps (corp-ca.pem) for each Certificate Authority you need to add (intermediate or otherwise), just give them a different name. You can also use a wildcard, for example: corp-*.pem if you had corp-ca-root.pem, corp-ca-intermediate.pem and corp-issuing-ca.pem.

copied from @rpomeroy above:

$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default 

Folks that are trying to use --tls-cert, --tls-key and --tls-ca-cert are using incorrect options. Those are for authentication between the docker client and server.

The only point I would like to make is that the filesystems in /etc are not "immutable" really, they are actually "ephemeral" (tmpfs), meaning they will go away for each reboot. The information in /var/lib/boot2docker/certs will be repopulated into the correct place in /etc/docker/certs...

Anyhow, it would be nice if the docker-machine would automatically trust any certs that the host system trusts.

For those who maybe left this solution thinking it would only work for the boot2docker setup and not the Docker for Windows (Hyper-V) setup, this (@rpomeroy's solution) also appears to work perfectly. I must have read this thread half a dozen times and dismissing it because it wasn't specific to the Docker for Windows environment.

@rpomeroy's solution works for both boot2docker and Docker for Windows.

I uploaded my company .cer certificates inside the /etc/pki/ca-trust/source/anchors directory of my docker container and entered below commands.

update-ca-trust enable
update-ca-trust

After doing above steps i could get the required output from curl

Just chiming in..

Looks like adding both of these mounts on your container seems to work with most configurations:

    volumes:
      - /etc/ssl/certs:/etc/ssl/certs
      - /usr/share/ca-certificates:/usr/share/ca-certificates

Windows is another story..I would avoid using a Windows Docker host if possible.

Was this page helpful?
0 / 5 - 0 ratings