24

Doing a docker-machine ls a got the unexpected Unable to query docker version: Get https://x.x.x.x:2376/v1.15/version: x509: certificate has expired or is not yet valid for every machine.

I hadn't done anything recently. Looking on SO, I tried some common culprits, VPN, virus, weird clock issues, etc. None of that applied. How can I fix make them useable again (via the docker-machine interface)?

Using Docker for Mac, 17.12.0-ce-49

rubyisbeautiful
  • 1,840
  • 1
  • 16
  • 15

3 Answers3

40

Update - as I commented on 2/14/2018, this is now part of docker-machine.
Try: docker-machine regenerate-certs --client-certs

Historical answer below:

First, docker-machine regenerate-certs does NOT regenerate the client certificate(s).

After poking around with openssl I discovered that it was actually the client certificate that had expired. Verify:

openssl x509 -in ~/.docker/machine/certs/cert.pem -text | grep "Not After"

I tried recreating the certs in situ with the same ca.pem but it didn't work out (for me). I'm guessing it would have eventually worked, given a lot more time and trial and error.

What eventually worked was backing up the whole dir, creating a dummy throwaway machine (to force docker-machine to create new certs), moving configs, ssh keys, and server certificates (not client certificates), then issuing a regenerate for each machine. NB, it's disruptive and painful. As the warning shows, docker-machine regenerate-certs will restart docker on the target machine. Though it's too late for me, I would like to see a better answer.

The process looks something like:

#!/bin/bash

cd ~/.docker || exit
cp -R machine machine.bak
rm -rf machine
docker-machine create deleteme
docker-machine rm -rf deleteme
cd machine/machines || exit

for m in $(~/.docker/machine.bak/machines)
do
    cp -R "../../machine.bak/machines/$m" .
    rm "$m/cert.pem"
    rm "$m/key.pem"
    cp certs/cert.pem "$m"
    cp certs/key.pem "$m"
    docker-machine regenerate-certs -f
done
Alexander Azarov
  • 12,971
  • 2
  • 50
  • 54
rubyisbeautiful
  • 1,840
  • 1
  • 16
  • 15
  • 2
    This was fixed in `docker-machine` master today, and should be useable as `docker-machine --regenerate-certs --client-certs` when the release is out. https://github.com/docker/machine/issues/4397 – rubyisbeautiful Feb 21 '18 at 03:20
  • 1
    why cp & rm if you can simply do mv? :) – Oduvan Sep 10 '18 at 19:05
  • 1
    Ha I don't remember why I did it that way. Maybe I was trying to do it safely at first? Or there might have been a good reason. I'm glad it helped anyway! – rubyisbeautiful Sep 11 '18 at 21:28
  • 2
    This wonderful suggestion worked for me! If only the error message had had the correct suggestion: ` Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": x509: certificate has expired or is not yet valid You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.` – qu1j0t3 Jul 25 '19 at 23:04
22

Try:

docker-machine regenerate-certs --client-certs <machine name>

The --client-certs is important.

Note:

The validity can be inspected by running:

openssl x509 -in ~/.docker/machine/certs/cert.pem -text -noout | less

The result is something like:

 Certificate:
     Data:
     ...
     Signature Algorithm: sha256WithRSAEncryption
         ...
         Validity
             Not Before: Mar 12 09:03:00 2018 GMT
             Not After : Feb 24 09:03:00 2021 GMT
     ...
skytteren
  • 515
  • 2
  • 10
  • 1
    I just saw that this was also commented above. I still believe that the validity inspection adds value. – skytteren Mar 12 '18 at 09:31
0

I wasn't able to solve my problem with the above solutions. So I just removed my machines and the corresponding folder with the certs and I was able to correctly create my machine:

docker-machine rm -y $(docker-machine ls -q)
rm -rf ~/.docker/machine
Romain
  • 799
  • 1
  • 9
  • 29