Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to fix expired client cert in docker-machine

Tags:

Doing a docker-machine ls a got the unexpected Unable to query docker version: Get https://x.x.x.x:2376/v1.15/version: x509: certificate has expired or is not yet valid for every machine.

I hadn't done anything recently. Looking on SO, I tried some common culprits, VPN, virus, weird clock issues, etc. None of that applied. How can I fix make them useable again (via the docker-machine interface)?

Using Docker for Mac, 17.12.0-ce-49

like image 885
rubyisbeautiful Avatar asked Feb 14 '18 22:02

rubyisbeautiful

People also ask

Where are certificates stored in docker container?

A custom certificate is configured by creating a directory under /etc/docker/certs.

2 Answers

Update - as I commented on 2/14/2018, this is now part of docker-machine.
Try: docker-machine regenerate-certs --client-certs

Historical answer below:

First, docker-machine regenerate-certs does NOT regenerate the client certificate(s).

After poking around with openssl I discovered that it was actually the client certificate that had expired. Verify:

openssl x509 -in ~/.docker/machine/certs/cert.pem -text | grep "Not After"

I tried recreating the certs in situ with the same ca.pem but it didn't work out (for me). I'm guessing it would have eventually worked, given a lot more time and trial and error.

What eventually worked was backing up the whole dir, creating a dummy throwaway machine (to force docker-machine to create new certs), moving configs, ssh keys, and server certificates (not client certificates), then issuing a regenerate for each machine. NB, it's disruptive and painful. As the warning shows, docker-machine regenerate-certs will restart docker on the target machine. Though it's too late for me, I would like to see a better answer.

The process looks something like:

#!/bin/bash  cd ~/.docker || exit cp -R machine machine.bak rm -rf machine docker-machine create deleteme docker-machine rm -rf deleteme cd machine/machines || exit  for m in $(~/.docker/machine.bak/machines) do     cp -R "../../machine.bak/machines/$m" .     rm "$m/cert.pem"     rm "$m/key.pem"     cp certs/cert.pem "$m"     cp certs/key.pem "$m"     docker-machine regenerate-certs -f done
like image 143
rubyisbeautiful Avatar answered Oct 03 '22 04:10

rubyisbeautiful

Try:

docker-machine regenerate-certs --client-certs <machine name>

The --client-certs is important.

Note:

The validity can be inspected by running:

openssl x509 -in ~/.docker/machine/certs/cert.pem -text -noout | less

The result is something like:

 Certificate:      Data:      ...      Signature Algorithm: sha256WithRSAEncryption          ...          Validity              Not Before: Mar 12 09:03:00 2018 GMT              Not After : Feb 24 09:03:00 2021 GMT      ...
like image 37
skytteren Avatar answered Oct 03 '22 04:10

skytteren
Sign in to Comment

Related questions

Filter array of objects by array of ids
Pandas, for each unique value in one column, get unique values in another column
Ignore JWT Bearer token signature (i.e. don't validate token)
Firestore: Invalid package reference in library
How to get Device Id in Xamarin Forms?
How can I add the new android chips dynamically in Android?
Doxygen - Could NOT find FLEX (missing: FLEX_EXECUTABLE)
Change font size in Vuetify based on viewport?
App getting stuck with E/com.facebook.internal.AttributionIdentifiers [duplicate]
How to disable animation for ListAdapter
Flutter - how to get Text widget on widget test
How can I restrict client access to only one group of users in keycloak?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!