Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker on Windows (Boot2Docker) - certificate signed by unknown authority error

I am running Docker on Windows (boot2docker + Oracle Virtual Box). In my corporate environment they modify the certificates so that the CAs are the company's self signed CA's. Thus, the chain ends up like this:

Company's CA     |__         Company's Intermediate CA             |__                Docker Certificate 

When I try to run any command, such as:

docker run hello-world 

I get this error:

Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority 

I have found several answers to this problem but always for Linux environments. How can I workaround this problem in Windows?

like image 534
codependent Avatar asked Jul 03 '15 11:07

codependent


People also ask

How do I fix x509 certificate signed by unknown authority Docker?

How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.

How do I fix x509 certificate signed by unknown authority in Windows?

So the solution to is simple – install the Root CA certificates on the server. That's it – now the error should be gone. If you don't know the root CA, open the URL that gives you the error in a browser (i.e. Chrome). Click the lock next to the URL and select Certificate (Valid).


1 Answers

This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn't until today been able to work out a solution for Docker. The trick is to add the certificates to Docker's cert store and have them persist. This is accomplished by using a bootlocal.sh script that executes every time the machine starts.

I assume if you've already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you've already done #1 and #2 by way of previous attempts.

  1. Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER format and do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem and skip step #2.

  2. Once you have them saved to a known location, you will want to convert them to PEM format unless you save as duch. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.

    openssl x509 -inform der -in certificate.cer -out certificate.pem 
  3. Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you'll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:\Users\my.username\certs and copied them there.

  4. This step may not be strictly necessary, but it's what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.

    MINGW64:$ docker-machine ssh default  docker@default:~$ sudo -s root@default:/home/docker# mkdir /var/lib/boot2docker/certs root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/ 
  5. Now it's time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven't already, open an SSH connection to the machine, per Step 4.

    touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh vi /var/lib/boot2docker/bootlocal.sh 

    Insert the following and save the file:

    #!/bin/sh  mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d 
  6. Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:

    docker-machine restart default 

Now you should be able to run 'hello-world' and others. I hope this helps.


Sources

[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem

[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043

like image 154
Aaron Helton Avatar answered Sep 29 '22 22:09

Aaron Helton