8

My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.

I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:

orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")

(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)

My issue, on the surface, appears to be very much like the one answered in this question. However, the accepted answer in that question does not work for me, since the root_unix.go file they discuss does not get invoked on a Mac. (From browsing around, I would guess that root_cgo_darwin.go and/or root_darwin.go would be involved instead.)

That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a *.cer file that I believe to be the one that I need, but I'm at a loss as to what to do with it.

I'm hoping that someone can point me in the right direction.

Edit: I thought that maybe I needed to to something akin to what this page suggests, to add the certificate. Alas, my attempt at following those instructions failed in the following way:

orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer" 
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer

Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.

Alas, this did not alleviate the ultimate symptom:

FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
Community
  • 1
  • 1
pohl
  • 3,158
  • 1
  • 30
  • 48
  • 2
    the docker daemon doesn't actually run on mac as it's very linux specific. I assume you are using vagrant to start the docker "host" and then communicating with that via sockets. I'd guess with boot2docker. The docker daemon itself can ignore invalid certs (we use a palo alto proxy that does this as well). You need to ssh to the docker host vm and edit /etc/default/docker to tell it to ignore bad certs (forget the option, can add it later when I get a chance) – David Budworth Dec 18 '14 at 01:14
  • This: https://medium.com/@deeeet/building-private-docker-registry-with-basic-authentication-with-self-signed-certificate-using-it-e6329085e612 may help. Add your companies root cert they use to sign stuff in the proxy and everything will become valid – David Budworth Dec 18 '14 at 01:17
  • 1
    Yes, I'm using "boot2docker up", and the docker daemon is actually running in a linux VM in VirtualBox. Are you suggesting that I should really be trying to add the cert into that VM? (Or configure it to ignore bad certs like you said). I feel like I've just mistaken the real world for The Matrix. – pohl Dec 18 '14 at 02:34
  • yes, I'm suggesting you do it in the virtual box vm. Either add the cert or disable cert verification. The docker command you run from osx doesn't actually do anything other than HTTP hit the daemon running in linux and then display the results. The error you are getting (very likely) comes from the linux vm and has nothing to do with osx config – David Budworth Dec 18 '14 at 07:24
  • 1
    Is there a file format reference for /etc/default/docker somewhere (I couldn't find one). The file doesn't exist yet, so I would have to create it. Is there some way to make such changes persist when I stop/start the VM, or am I going to have to script scp'ing the file into place and restarting the docker daemon? – pohl Dec 18 '14 at 19:34
  • It looks like there is a /var/lib/boot2docker/profile file that persists across VM restarts. Maybe that's where I need to put something. I can't find a reference for that either, though. https://github.com/boot2docker/boot2docker – pohl Dec 18 '14 at 20:03

3 Answers3

7

According to the boot2docker README

Insecure Registry

As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.

$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.
David Budworth
  • 11,248
  • 1
  • 36
  • 45
  • Is the public docker registry "insecure"? I thought it requires HTTPS. This feels like an answer to a different question. – pohl Dec 26 '14 at 20:29
  • Not sure if insecure means http or it means invalid cert. In your case, you have an "invalid" cert due to the proxy self signing stuff. If you have the CA cert, you can (in the boot2docker vm) add it to /etc/ssl/cacerts.pem (look at format first to make sure your .cer is same plain text) – David Budworth Dec 26 '14 at 20:58
  • Excellent point. Will have to try his experiment when holiday vacation is over. – pohl Dec 26 '14 at 21:56
  • 1
    for what it's worth, I remember now that I had our IT guys not intercept dockerhub as my way of ultimately working around this. May not be possible for you, but if it is, that can save you time. I'll also undo that just to test because now I'm super-curious. – David Budworth Dec 31 '14 at 06:14
  • We were eventually able to convince our IT guys not to MitM dockerhub, too. – pohl Jan 28 '15 at 16:53
4

The source of http://golang.org/src/crypto/x509/root_darwin.go shows that the command:

cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")

is used to find the certificate.

Try adding the .cer file into the OSX certificate key-chain.

Intermernet
  • 18,604
  • 4
  • 49
  • 61
  • 1
    Thank you for the suggestion. I added some edits to my question that shows how I managed to do what you suggest (I think). It didn't appear to resolve the problem, though. – pohl Dec 17 '14 at 23:05
  • try restarting the docker service. You may also want to look at the `--insecure-registry` docker flag, but it's fairly hackish and, as the name suggests, insecure. More info at https://docs.docker.com/reference/commandline/cli/#insecure-registries – Intermernet Dec 17 '14 at 23:17
0

If you use the docker-machine

edit $USER/.docker/machine/machines/default/config.json

"EngineOptions": {
    "InsecureRegistry": [
        "XXX.XXX.virtual"
    ],
}
wcc526
  • 3,915
  • 2
  • 31
  • 29