Machine: feature request: renew client certificate

Created on 14 Feb 2018  路  9Comments  路  Source: docker/machine

regenerate-certs is there for server certs, but I could not find a way to regenerate my expired client certificate. I walked through the issue on stack overflow. Seems like it would be a relatively common problem, or will be soon. I would expect the interface to be like the typical docker-compose regenerate-client-cert.

Summary:

docker-machine unexpectedly reports expired cert. Server certs are not expired. Client cert is:

$ docker-machine ls 
NAME            ACTIVE   DRIVER         STATE     URL                          SWARM   DOCKER    ERRORS
foo          -        digitalocean   Running   tcp://x.x.x.x:2376           Unknown   Unable to query docker version: Get https://165.227.213.201:2376/v1.15/version: x509: certificate has expired or is not yet valid


$ openssl x509 -in cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c5:2a:9f:bf:d4:73:51:ce:c8:09:37:2b:8f:fb:9d:0b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=whatevs
        Validity
            Not Before: Feb 27 22:12:00 2015 GMT
            Not After : Feb 11 22:12:00 2018 GMT
picture rubyisbeautiful

Most helpful comment

Ok, I figured out issue with SSH (forgot to specify --generic-ssh-user) and can confirm that --client-certs doesn't help:

$ docker-machine regenerate-certs --client-certs beasts
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Regenerating local certificates
Waiting for SSH to be available...
Detecting the provisioner...
Installing Docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...

$ docker-machine env beasts
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.1.24:2376": x509: certificate has expired or is not yet valid
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

$ docker-machine version
docker-machine version 0.14.0-rc1, build e918c74

$ openssl x509 -in ~/.docker/machine/machines/beasts/cert.pem -noout -dates
notBefore=Mar 13 03:22:00 2015 GMT
notAfter=Feb 25 03:22:00 2018 GMT

Any other way to regenerate certificates?

picture splix on 27 Feb 2018
👍3

All 9 comments

Yes please this is maddening I guess not a lot of people have been using machine since 2015 ;-). Docker commands report this which I assumed meant server cert was expired:

error during connect: Get https://docker.example.com:2376/v1.36/containers/myproject_myservice_1/json: x509: certificate has expired or is not yet valid
jamshid picture jamshid on 15 Feb 2018

What to do meanwhile? my certs has just expired.
Can I just regenerate cert.pem and ca.pem with openssl? any specifics to consider?

splix picture splix on 26 Feb 2018

btw, that docker machine was created less than a year ago (stat says ca.pem was create in 1st April 2017). But certificates has:

notBefore=Mar 13 03:22:00 2015 GMT
notAfter=Feb 25 03:22:00 2018 GMT

which are strange dates for that moment, and maybe there is another bug that leads to past dates

splix picture splix on 26 Feb 2018

Suddenly today I am also getting this error in all my machines. Regenerate certs does not help either, any suggestions?

manast picture manast on 26 Feb 2018

@splix https://github.com/docker/machine/releases/tag/v0.14.0-rc1

shin- picture shin- on 26 Feb 2018

@shin- Thank you.

It seems it's not a particular machine certificate, but a root certificate is from 2015:

$ openssl x509 -in ~/.docker/machine/ca.pem -noout -dates
notBefore=Mar 13 03:22:00 2015 GMT
notAfter=Feb 25 03:22:00 2018 GMT

That date looks like a first use of docker on that machine, so probably a correct date. I just expected that certificate will be different for new remotes, I guess it was copied as is?

Anyway, I'm trying to regenerate it with using --client-certs w/o luck so far. Now I'm stuck with Too many retries waiting for SSH to be available. Last error: Maximum number of retries (60) exceeded, that's crazy because SSH works perfectly to that machine. Not sure it's related to current issue, probably a different one.

splix picture splix on 27 Feb 2018

Ok, I figured out issue with SSH (forgot to specify --generic-ssh-user) and can confirm that --client-certs doesn't help:

$ docker-machine regenerate-certs --client-certs beasts
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Regenerating local certificates
Waiting for SSH to be available...
Detecting the provisioner...
Installing Docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...

$ docker-machine env beasts
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.1.24:2376": x509: certificate has expired or is not yet valid
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.

$ docker-machine version
docker-machine version 0.14.0-rc1, build e918c74

$ openssl x509 -in ~/.docker/machine/machines/beasts/cert.pem -noout -dates
notBefore=Mar 13 03:22:00 2015 GMT
notAfter=Feb 25 03:22:00 2018 GMT

Any other way to regenerate certificates?

splix picture splix on 27 Feb 2018
👍3

@splix https://github.com/docker/machine/pull/4401#issuecomment-368670971

shin- picture shin- on 27 Feb 2018

@shin- thank you, it helped

splix picture splix on 27 Feb 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

moander picture moander  路  5Comments
pschultz picture pschultz  路  3Comments
nathanleclaire picture nathanleclaire  路  4Comments
hananeglit picture hananeglit  路  3Comments
AlexZeitler picture AlexZeitler  路  4Comments