Machine: `docker-machine regenerate-certs` generates certs in the wrong place

Created on 31 Jul 2018  路  8Comments  路  Source: docker/machine

I use docker toolbox on MacOS. My certificates have been around for about three years and expired, leading to errors accessing my docker daemon's through docker-machine. I saw errors like this when running docker-machine ls:

Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": x509: certificate has expired or is not yet valid

I was able to resolve this error when running docker-machine regenerate-certs --client-certs, but then after running eval $(docker-machine env default)and docker ps I would get a new error:

error during connect: Get https://192.168.99.100:2376/v1.37/containers/json: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "chrisfosterelli")

Looking at the environment variables returned by docker-machine env default:

export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.100:2376"
export DOCKER_CERT_PATH="/Users/chrisfosterelli/.docker/machine/machines/default"
export DOCKER_MACHINE_NAME="default"
# Run this command to configure your shell: 
# eval $(docker-machine env)

I can see that it expects my certificates to be in /Users/chrisfosterelli/.docker/machine/machines/default. In this directory, based on timestamps, I could see that regenerate-certs updated config.json, server-key.pem, and server.pem. However, it did not update ca.pem, cert.pem, or key.pem. When I compare ca.pem with what is on the boot2docker machine at /var/lib/boot2docker/, the ca.pem files do not match.

In /Users/chrisfosterelli/.docker/machine/ I found ca.pem, cert.pem, and key.pem files that had been updated by regenerate-certs. I had to manually copy those files into the /Users/chrisfosterelli/.docker/machine/machines/default directory, and now all works fine again.

I'm not sure if this is a bug, a result of migrating this VM over versions, or maybe just a configuration mistake I made. This took a lot of time to debug so I thought I'd post this here in case 1. it's a bug that can be fixed, or 2. it's useful to anyone who encounters a similar issue.

picture chrisfosterelli
👍9 👎2

Most helpful comment

in newer versions of docker toolbox (in my case on Windows 7, docker toolbox v. v19.03.1) this problem can be fixed using the following command (assuming the reason was an expired ca cert):

$ docker-machine regenerate-certs --client-certs

see also:

https://docs.docker.com/machine/reference/regenerate-certs/

picture Remigius2011 on 8 Aug 2019
👍3

All 8 comments

I had the same problem, and copying the files as described fixed it. Thank you for posting this.
Of course, I can't narrow down the cause any more, as I also migrated the VM over versions and could easily have an error in my configuration.

rfgunion picture rfgunion on 1 Oct 2018
👍1

Yep, same same here - thanks for raising this, saved me a lot of time (and hair!)

m-i-sadowski picture m-i-sadowski on 31 Oct 2018
👍1

same problem on Windows 7 with Docker toolbox.
Copying files to replace .docker/machine/certs and then restart Quickstart terminal resolve this problem.

maxiwu picture maxiwu on 30 Apr 2019

Same error here. Except that i tried copying files to /Users/<user>/.docker/machine/machines/default and it is still not working. docker-machine env default prints: 

export DOCKER_CERT_PATH="C:\Users\<user>\.docker\machine\machines\default"

EDIT: After running eval $(docker-machine env default) it works, but if i restart bash it does not work anymore.

matej2 picture matej2 on 6 Jul 2019

in newer versions of docker toolbox (in my case on Windows 7, docker toolbox v. v19.03.1) this problem can be fixed using the following command (assuming the reason was an expired ca cert):

$ docker-machine regenerate-certs --client-certs

see also:

https://docs.docker.com/machine/reference/regenerate-certs/

Remigius2011 picture Remigius2011 on 8 Aug 2019
👍3

...and a warning:

at least in my case, a docker-machine regenerate-certs default wiped all existing docker containers - even if they are running - and all images. if you want to keep existing containers, you possibly have to resort to ssh into the docker machine (without regenerating certs) and use docker commands from the inside. in any case, backup your docker-machine vms before upgrading toolbox and/or regenerating certs (if they contain anything worth keeping, that is).

Remigius2011 picture Remigius2011 on 8 Aug 2019
👍1

Same issue I am facing but copying is not working for me :(

mirr254 picture mirr254 on 15 May 2020

thanks this helped!

itai-codefresh picture itai-codefresh on 2 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

iongion picture iongion  路  4Comments
m-amr picture m-amr  路  5Comments
moander picture moander  路  5Comments
oobles picture oobles  路  3Comments
jrz picture jrz  路  5Comments