Docker-Desktop does not handle firewall CA certs ( but it claims it should work. )

[DaveB93]

• [X] I have tried with the latest version of Docker Desktop
• [X] I have tried disabling enabled experimental features
• [X] I have uploaded Diagnostics
• Diagnostics ID: B6BC5BD1-6024-4DFA-9D10-DDF38491416D/20210421160432

Actual behavior

my IT department has put in a firewall, which is deliberately doing a mitm attach for ssl requests. If I try to install docker containers, or kubernetes without putting exceptions in the firewall, docker gets an error because of the self signed certificate. inside my own containers, I can add the firewalls ca cert and run update-ca-certificates, and they work, but even though your documenation seems to indicate you're doing this as well, it does not seem to be working. It looks like if you update wget to the latest busybox version you can tell it to use openssl on the system, which would allow this to work

U:\>docker pull gcr.io/google_containers/kube-apiserver-amd64:v1.7.2
v1.7.2: Pulling from google_containers/kube-apiserver-amd64
d83a783b3049: Pulling fs layer                                                                                                                                                                                          40253bce72bb: Pulling fs layer                                                                                                                                                                                          error pulling image configuration: Get https://storage.googleapis.com/artifacts.google-containers.appspot.com/containers/images/sha256:4935105a20b1c8236e46f3c02621311edfb9c423b801b961a8554595fe28034e: EOF

from AppData\local\docker\log.txt

[09:43:21.073][ApiProxy          ][Info   ] msg="proxy >> POST /v1.41/images/create?fromImage=gcr.io%2Fgoogle_containers%2Fkube-apiserver-amd64&tag=v1.7.2\n"
[09:43:21.158][VpnKit            ][Info   ] vpnkit.exe: Connected Ethernet interface f6:16:36:bc:f9:c6
[09:43:21.158][VpnKit            ][Info   ] vpnkit.exe: UDP interface connected on 74.125.142.82
[09:43:22.463][VpnKit            ][Info   ] vpnkit.exe: Connected Ethernet interface f6:16:36:bc:f9:c6
[09:43:22.463][VpnKit            ][Info   ] vpnkit.exe: UDP interface connected on 172.217.5.112
[09:43:23.607][ApiProxy          ][Info   ] msg="proxy << POST /v1.41/images/create?fromImage=gcr.io%2Fgoogle_containers%2Fkube-apiserver-amd64&tag=v1.7.2 (2.5346015s)\n"
[09:43:23.618][GoBackendProcess  ][Info   ] msg="received new cli usage: {Command:pull Context:moby Status:failure Source:cli}"
[09:43:23.621][LoggingMessageHandler][Info   ] [991d0cfb] <Server start> POST http://unix/usage/cli
[09:43:23.621][LoggingMessageHandler][Info   ] [991d0cfb] <Server end> POST http://unix/usage/cli -> 200 OK (took 0ms)
[09:43:23.621][GoBackendProcess  ][Info   ] msg="cli: POST /usage 200 \"Go-http-client/1.1\" \"\""

Expected behavior

There should be a way to add trusted ca certs to docker desktop, so that it can work behind a firewall.

e.g. adding a trusted certificate to the windows certificate store and restarting docker-desktop should bring the certificates into docker-desktop, and docker desktop's wget should use those certificates.

Information

According to https://docs.docker.com/docker-for-windows/#how-do-i-add-custom-ca-certificates it's implied that if I have a certificate in my windows trust store, that it will be added to the CA certs for docker-desktop. this doesn't seem to be the case, however I do see the desired certificates in C:\Users\~\AppData\Local\Docker\vm-config. The version of BusyBox wget in docker desktop does not have openssl support to use the system certificate store

• Windows Version:
• Docker Desktop Version:

  
  Client: Docker Engine - Community
  Cloud integration: 1.0.12
  Version:           20.10.5
  API version:       1.41
  Go version:        go1.13.15
  Git commit:        55c4c88
  Built:             Tue Mar  2 20:14:53 2021
  OS/Arch:           windows/amd64
  Context:           default
  Experimental:      true

Server: Docker Engine - Community Engine: Version: 20.10.5 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: 363e9a8 Built: Tue Mar 2 20:15:47 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.4 GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e runc: Version: 1.0.0-rc93 GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec docker-init: Version: 0.19.0 GitCommit: de40ad0

  - WSL2 or Hyper-V backend?   WSL2
  - Are you running inside a virtualized Windows e.g. on a cloud server or a VM:  no, 

### Steps to reproduce the behavior
<!--
A reproducible case, Dockerfiles with reproduction inside is best.
-->

  1. install windows docker behind a palo-alto firewall
  2. attempt to pull anything from a non allowlisted url

[stephen-turner]

Thanks for the report, we'll have a look.

[docker-robott]

Issues go stale after 90 days of inactivity. Mark the issue as fresh with /remove-lifecycle stale comment. Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale

[DaveB93]

/remove-lifecycle stale

[docker-robott]

Issues go stale after 90 days of inactivity. Mark the issue as fresh with /remove-lifecycle stale comment. Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle locked