How to add private registry certs to Docker Machine

Question

I upgraded my Mac (OS X) from an older Docker installation to Docker Toolbox, meaning that I'm now working with Docker Machine, and in the process discovered that certs I had working for push/pull with a private registry are not there, and I can't for the life of me figure out how to get them in place. At the moment when I try a test pull I get the dreaded x509: certificate signed by unknown authority error. I've searched around, looked at issues in Github, but nothing has worked for me. I even tried ssh'ing into the machine VM and manually copying them into /etc/ssl/certs, and various other things, with no luck. And I certainly don't want to get into the "insecure-registry" stuff. This used to work with boot2docker prior to moving to docker-machine.

This seems like a very simple question: I have a couple of .crt files that I need put in the right place so that I can do a push/pull. How does one do this? And secondarily, how can this not be documented anywhere? Can we wish for a docker-machine add-cert command someday?

Thanks for any help, and I hope a good answer here can stick around to assist others who run into this.

Answer 1

Okay so let's imagine I have a registry running at the address: 192.168.188.190:5000 and I have a proper certificate for this address.

I would now run the following commands to install the root certificate into my machine:

docker-machine scp ./dockerCA.crt $MACHINE_NAME:dockerCA.crt
docker-machine ssh $MACHINE_NAME sudo mkdir -p /etc/docker/certs.d/192.168.188.190:5000
docker-machine ssh $MACHINE_NAME sudo mv dockerCA.crt /etc/docker/certs.d/192.168.188.190:5000/dockerCA.crt

Set the variable MACHINE_NAME to whatever the name of your machine is. The machine will now trust your root certificate.

Answer 2

Having the same issue I read the Documentation in Docker on how to add a certificate to my computer. As you mentioned that you are on a updated Mac OS X, proceed by doing the following:

1. Copy the cert file from your docker registry to your hard drive, e.g.

   scp [email protected]:/path/to/crt/domain.crt /tmp/domain.crt

2. Add the certificate to your trusted certificates using the following command

sudo security add-trusted-cert -d -r trustRoot \
     -k /Library/Keychains/System.keychain /tmp/domain.crt

Restart your local docker handler and now you should be able to upload your local Docker images to the Docker registry.

If you are running on any other operating systems please check this site on how to add trusted root certificates.