I am running Docker on Windows (boot2docker + Oracle Virtual Box). In my corporate environment they modify the certificates so that the CAs are the company's self signed CA's. Thus, the chain ends up like this:
Company's CA |__ Company's Intermediate CA |__ Docker Certificate
When I try to run any command, such as:
docker run hello-world
I get this error:
Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority
I have found several answers to this problem but always for Linux environments. How can I workaround this problem in Windows?
How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.
So the solution to is simple – install the Root CA certificates on the server. That's it – now the error should be gone. If you don't know the root CA, open the URL that gives you the error in a browser (i.e. Chrome). Click the lock next to the URL and select Certificate (Valid).
This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn't until today been able to work out a solution for Docker. The trick is to add the certificates to Docker's cert store and have them persist. This is accomplished by using a bootlocal.sh
script that executes every time the machine starts.
I assume if you've already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you've already done #1 and #2 by way of previous attempts.
Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER format and do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem and skip step #2.
Once you have them saved to a known location, you will want to convert them to PEM format unless you save as duch. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you'll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:\Users\my.username\certs and copied them there.
This step may not be strictly necessary, but it's what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.
MINGW64:$ docker-machine ssh default docker@default:~$ sudo -s root@default:/home/docker# mkdir /var/lib/boot2docker/certs root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
Now it's time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven't already, open an SSH connection to the machine, per Step 4.
touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh vi /var/lib/boot2docker/bootlocal.sh
Insert the following and save the file:
#!/bin/sh mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d
Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:
docker-machine restart default
Now you should be able to run 'hello-world' and others. I hope this helps.
Sources
[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem
[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With