Menu
Doing a docker-machine ls a got the unexpected Unable to query docker version: Get https://x.x.x.x:2376/v1.15/version: x509: certificate has expired or is not yet valid for every machine.
I hadn't done anything recently. Looking on SO, I tried some common culprits, VPN, virus, weird clock issues, etc. None of that applied. How can I fix make them useable again (via the docker-machine interface)?
Using Docker for Mac, 17.12.0-ce-49
885
A custom certificate is configured by creating a directory under /etc/docker/certs.
Update - as I commented on 2/14/2018, this is now part of docker-machine.
Try: docker-machine regenerate-certs --client-certs
Historical answer below:
First, docker-machine regenerate-certs does NOT regenerate the client certificate(s).
After poking around with openssl I discovered that it was actually the client certificate that had expired. Verify:
openssl x509 -in ~/.docker/machine/certs/cert.pem -text | grep "Not After"
I tried recreating the certs in situ with the same ca.pem but it didn't work out (for me). I'm guessing it would have eventually worked, given a lot more time and trial and error.
What eventually worked was backing up the whole dir, creating a dummy throwaway machine (to force docker-machine to create new certs), moving configs, ssh keys, and server certificates (not client certificates), then issuing a regenerate for each machine. NB, it's disruptive and painful. As the warning shows, docker-machine regenerate-certs will restart docker on the target machine. Though it's too late for me, I would like to see a better answer.
The process looks something like:
#!/bin/bash cd ~/.docker || exit cp -R machine machine.bak rm -rf machine docker-machine create deleteme docker-machine rm -rf deleteme cd machine/machines || exit for m in $(~/.docker/machine.bak/machines) do cp -R "../../machine.bak/machines/$m" . rm "$m/cert.pem" rm "$m/key.pem" cp certs/cert.pem "$m" cp certs/key.pem "$m" docker-machine regenerate-certs -f done Try:
docker-machine regenerate-certs --client-certs <machine name> The --client-certs is important.
Note:
The validity can be inspected by running:
openssl x509 -in ~/.docker/machine/certs/cert.pem -text -noout | less The result is something like:
Certificate: Data: ... Signature Algorithm: sha256WithRSAEncryption ... Validity Not Before: Mar 12 09:03:00 2018 GMT Not After : Feb 24 09:03:00 2021 GMT ... If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
