OSX docker client fails to use keychain registered certificates

[mgilbir]

Until https://github.com/golang/go/issues/14514 lands in go1.8, would it be possible to use https://github.com/hashicorp/go-rootcerts to make the docker client in OSX trust all the CAs registered in the system?

I'm running a private registry with an internal CA infrastructure and it's a pain to have to treat it as a special case in docker when all machines are set to trust that CA.

[thaJeztah]

ping @dmcgowan @justincormack

[dmcgowan]

@mgilbir how are you currently trusting the CA with Docker? Adding support for the OSX keychain will not help since the Docker daemon which is opening up the registry requests is not running on OSX. My suggestion if you have a trusted CA for your registry is to add it to the system certificates on the machine running the Docker daemon.

[mgilbir]

Thanks for taking a look at this.

I'm currently running Docker for Mac Version 1.11.1-beta13.1 (build: 8193). I thought that the docker client was talking directly to the docker registry and as the docker client is running natively on OSX it could access the keychain.

From your message I gather that it needs to talk to the docker daemon that is running in the virtualised OS on xhyve. I have no clue as to how to add trusted system certificates there nor if that's even possible. In any case, the end-user UX is quite confusing.

On Tue, May 31, 2016 at 6:44 PM, Derek McGowan notifications@github.com wrote:

@mgilbir https://github.com/mgilbir how are you currently trusting the CA with Docker? Adding support for the OSX keychain will not help since the Docker daemon which is opening up the registry requests is not running on OSX. My suggestion if you have a trusted CA for your registry is to add it to the system certificates on the machine running the Docker daemon.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/docker/docker/issues/23105#issuecomment-222747404, or mute the thread https://github.com/notifications/unsubscribe/AAKOpFxm-woZRnZwLG0wku4_aKwO2FJvks5qHGVogaJpZM4Ip1xY .

[justincormack]

We are planning to add a configuration interface for adding system certificates on docker for mac soon.

[ake-persson]

This is also an issue when your company is using SSL inspection i.e. replacing ext. SSL certs at your endpoints with internally issued one.

[eli-jordan]

@justincormack any outlook on when this will be available and/or a work around for the time being? We have been putting the certs in /etc/docker/certs.d on linux/docker machine. Something similar for docker for mac would be great!

[justincormack]

There is a workaround:

cd ~/Library/Containers/com.docker.docker/Data/database/
git reset --hard
cd com.docker.driver.amd64-linux/etc/docker/
mkdir -p certs.d
# add your certs to there
git add certs.d
git commit -m 'add my certs'

Then restart Docker and they should be there and persist.

[ake-persson]

That still doesn't solve the issue if your organisation has SSL inspection, docker pull still fails for external sources. I'm guessing this will solve it for any internal Docker registry thought.

Where would you add additional system SSL CA root certificates to this?

[justincormack]

There is now support for using the host SSL CA root certs on Docker for Windows, and the support is planned for Docker for Mac too shortly.

[spencerwp]

I am no longer having issues on Mac while under SSL interception. Can't determine which change actually fixed this. Can anyone else verify this too?

[justincormack]

@spencerwp yes it was released in the last beta, see https://docs.docker.com/docker-for-mac/release-notes/#/beta-release-notes and will also be in the next stable release (which will be after Docker 1.12.2 is released).

Closing as now resolved. Glad it is working for you!

[gondor]

Just switched to beta! Worked first try! Thank you, any idea on when this hits stable so I can role this out to my teams?

[justincormack]

The stable release is planned to be this week with this.

On 6 Nov 2016 4:05 p.m., "Jeremy Unruh" notifications@github.com wrote:

Just switched to beta! Worked first try! Thank you, any idea on when this hits stable so I can role this out to my teams?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/docker/docker/issues/23105#issuecomment-258690545, or mute the thread https://github.com/notifications/unsubscribe-auth/AAdcPF_Tp3zTATqurR0HifYYSmnlPhV_ks5q7frPgaJpZM4Ip1xY .

[zanes2016]

I'm still having an issue with my self-signed cert. On my mac, I've added the cert file to /etc/ssl/certs/ca-certificates.crt which didn't work.

I also tried the relative application's relative directory: /Applications/Docker.app/Contents/Resources/etc/ssl/certs/ca-certificates.crt

I still get the following error (after restarting Docker engine): certificate signed by unknown authority

Any ideas of what I'm doing incorrectly?

OSX El Capitan version: 10.11.6 (15G31)

Docker Server Version: 1.12.3

[justincormack]

Please open an issue on https://github.com/docker/for-mac/issues

The certs need to be in the keychain, I think there is a tool to add them.

On 23 Nov 2016 04:35, "zanes2016" notifications@github.com wrote:

I'm still having an issue with my self-signed cert. On my mac, I've added the cert file to /etc/ssl/certs/ca-certificates.crt which didn't work.

I also tried the relative application's relative directory: /Applications/Docker.app/Contents/Resources/etc/ssl/ certs/ca-certificates.crt

I still get the following error (after restarting Docker engine): certificate signed by unknown authority

Any ideas of what I'm doing incorrectly?

OSX El Capitan version: 10.11.6 (15G31)

Docker Server Version: 1.12.3

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/docker/docker/issues/23105#issuecomment-262433166, or mute the thread https://github.com/notifications/unsubscribe-auth/AAdcPD3D2-fS_yMm-0X2WxKquHVRgMLIks5rA8KqgaJpZM4Ip1xY .

[ake-persson]

You can add certs as follows:

Root Cert

security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain myrootcert.cer

Other Cert, usually issued with root Cert

security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain mycert.cer

[zanes2016]

Thank you @mickep76, that's what I needed.

[matthewbarr]

Any idea if the Docker for Mac can use a client certificates from the keychain?

[toddcoulson]

I have added the ca.crt file into the keychain with the command sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt and changed the values to always trust on the certificate. But still getting Error response from daemon: Get https://docker.abc.xyz.net/v1/users/: x509: certificate signed by unknown authority I am using Docker for Mac. Any ideas?

[ake-persson]

Verify if you get the same error with Curl to the registry. If that works rhen your system is setup correctly; if not it's likely related to docker.

[esterkin]

I'm seeing this issue using Docker for Mac Version 17.12.0-ce-mac49 (21995) on macOS 10.13.3 High Sierra:

After adding the relevant internal root certificate using sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/My_Internal_Root_CA_1.pem

RUN curl -v https://<my domain requiring root certificate>.com in my Dockerfile fails with SSL certificate problem: self signed certificate in certificate chain during docker build.

From the Docker documentation, it appears that the certificate should be available to the container after I add it to my Mac's System keychain but that is not working. Any ideas?

[thaJeztah]

From the Docker documentation, it appears that the certificate should be available to the container after I add it to my Mac's System keychain but that is not working. Any ideas?

No, those certificates may be accessible by the daemon to make connections, but not inside the container; the container only gets access to things you give it access to

[matthewbarr]

@thaJeztah There's an open issue- docker/for-mac#1757 , still in triage - for getting the daemon custom certs for use with docker pull / push. Right now, AFAIK, the daemon doesn't have them, it just has the CA's.

A way to give them to the container, on the other hand, a la secrets, would be amazing, as well. Hmm.. I'll open that too, since I don't think that's there.

[gaojingyuan]

Copy crt to mac,and run the follow commond： sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain domain.crt then restart docker