Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker behind proxy that changes ssl certificate

I am trying to run the following docker command:

docker run -i -t ubuntu /bin/bash

But I get the error:

Unable to find image 'ubuntu' (tag: latest) locally

Pulling repository ubuntu
2013/11/28 14:00:24 Get https://index.docker.io/v1/images/ubuntu/ancestry: x509: certificate signed by unknown authority

I know that our company replaces the SSL Certificate on the fly for https requests.

I tried to trust our company's CA certificate by putting it in:

 /etc/pki/tls/certs/ca-bundle.crt

and

/etc/pki/tls/cert.pem

But it is still not working.

Any ideas?

like image 580
reen Avatar asked Nov 28 '13 13:11

reen


People also ask

Does Docker use a proxy?

In Docker 17.07 and higher, you can configure the Docker client to pass proxy information to containers automatically. In Docker 17.06 and earlier versions, you must set the appropriate environment variables within the container.

What does Docker proxy do?

The docker-proxy operates in userland, and simply receives any packets arriving at the host's specified port, that the kernel hasn't 'dropped' or forwarded, and redirects them to the container's port.


2 Answers

@jpetazzo's answer is overall correct, however there is a nicer way to do the same thing (without manually editing a ca-bundle file):

  • on CentOS:

    sudo cp yourcert.crt /etc/pki/ca-trust/source/anchors/
    sudo update-ca-trust extract
    sudo service docker restart
    
  • on Debian:

    sudo cp yourcert.crt /usr/local/share/ca-certificates/
    sudo update-ca-certificates
    sudo service docker restart
    

Note that restarting docker daemon is necessary!

like image 82
Sergey Evstifeev Avatar answered Oct 17 '22 15:10

Sergey Evstifeev


According to http://golang.org/src/pkg/crypto/x509/root_unix.go, you should append your certificate to one of the following:

  • /etc/ssl/certs/ca-certificates.crt
  • /etc/pki/tls/certs/ca-bundle.crt
  • /etc/ssl/ca-bundle.pem
  • /etc/ssl/cert.pem
  • /usr/local/share/certs/ca-root-nss.crt

Find the one that exists on your system, and append your certificate to it.

(And be ready to do it again when you upgrade the package containing that file...)

I hope there is a better method, but this is the only one I found so far :-)

like image 39
jpetazzo Avatar answered Oct 17 '22 15:10

jpetazzo