11

I have boot2docker 1.4.1 running on windows via virtualbox. I am behind a proxy that MITMs https certificates. I configured proxy by adding the following lines in /var/lib/boot2docker/profile:

export HTTP_PROXY=<proxyhost>:80
export HTTPS_PROXY=<proxyhost>:80
DOCKER_TLS=no
EXTRA_ARGS="--insecure-registry index.docker.io"

however when I run docker@boot2docker:~$ docker run hello-world I get

Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0006] Get https://index.docker.io/v1/repositories/library/hello-world/images
: x509: certificate signed by unknown authority

Please help me figure out the correct way to ignore certificate errors. Thanks!

RaGe
  • 22,696
  • 11
  • 72
  • 104
  • 1
    Same issue here found solution?? – Kishan B Feb 27 '15 at 19:23
  • I ended up installing docker on an ubuntu vm and ran into the same problem as well. I eventually got around that by adding my MITM proxy and CA certificates to my ubuntu trusted store. I'm sure you can do the same on boot2docker if you know where the trusted store is. If you're still stuck, I can look it up for you. I have no clue what the `--insecure-registry` flag really does. – RaGe Feb 28 '15 at 22:46
  • 1
    Here's the documentation on --insecure-registry https://docs.docker.com/reference/commandline/cli/#insecure-registries. But it doesn't seem to want to consider index.docker.io as an insecure registry and it is way too much work to modify the trusted store to get around this issue. This usually happens because IT departments insert their own root certs to the trusted store of the host machine to sniff HTTPS traffic – Doguhan Uluca Apr 16 '15 at 15:59

2 Answers2

21

Edit Looks like the new docker only works on certain flavors of Windows 10. If you are still stuck on Windows 7, I have updated the below to reflect the steps I had to go through to correct the 'self signed certificate in certificate chain' error when I installed the latest version of docker-toolbox (Docker 1.11.2).

Finally got this working on Windows 7 following the answers here: https://github.com/boot2docker/boot2docker/issues/347

Check that this is your issue by running openssl s_client -showcerts:

docker@boot2docker:~$ openssl s_client -showcerts -CApath . -connect index.docker.io:443

(Edit: removed 32 from -showcerts and corrected host name)

In the certificate chain, you'll see the proxy has inserted itself and the verify returns an error something like this 

Verify return code: 19 (self signed certificate in certificate chain)

If you have the same problem then give the steps below a try :

  1. First, save the certificate you need. Here are the steps to use in Firefox similar to https://stackoverflow.com/a/6966818/1981358 (Chrome and IE should also work using the Certificate Export Wizard; Note: on Windows, the PEM certificate encoding is called Base-64 encoded X.509 (.CER)):
    • In Firefox, go to https://hub.docker.com/
    • Click on the lock icon on the address bar to display the certificate
    • Click through "More Information" -> "Security" -> "View Certificate" --> "Details"
    • Select each node in the hierarchy beginning with the uppermost one, and click on "Export" and "Save" (select the X.509 Certificate (PEM) format)
    • Save the above files somewhere in your local drive, change the extension to .pem and move them to your user folder (or any other location accessible from ssh)
  2. Create a folder to hold the cert(s):docker@boot2docker:~$ sudo mkdir /var/lib/boot2docker/certs/
  3. Copy the cert files(s) to that location: docker@boot2docker:~$ sudo cp /c/Users/<username>/<folder>/<proxy-cert>.pem /var/lib/boot2docker/certs/
  4. Create the file /var/lib/boot2docker/bootlocal.sh and include the source from https://gist.github.com/irgeek/afb2e05775fff532f960 (I just created the file in Windows using Notepad++ and copied it to the correct location similar to the above step)
  5. Exit ssh and restart: C:\>docker-machine restart
  6. Open the shell docker-machine ssh and verify the changes worked: docker run hello-world

You should see output which contains something like:

Hello from Docker.
This message shows that your installation appears to be working correctly.
Community
  • 1
  • 1
peater
  • 1,233
  • 15
  • 20
  • FYI I migrated to docker-machine using the instructions at docker toolbox (https://www.docker.com/docker-toolbox) and did not have to make similar updates so the above may be obsolete. – peater Oct 27 '15 at 17:39
  • 2
    @ppeater, I suspect that you didn't need to make any changes as you migrated an already existing boot2docker image. On a fresh install, I had to upload the certificates and use bootlocal.sh to copy them to /etc/docker/certs.d//ca.crt, so this answer remains relevant. – Dan Nov 04 '15 at 19:33
  • If you are not installing to the "default" VM, make sure the docker-machine commands above include the name of your VM. For instance: `docker-machine ssh dev` – peater Aug 08 '16 at 20:16
  • it worked!!! I tried many solutions but nothing worked except this. – Agam Nov 11 '19 at 17:17
5

If you have Docker for Windows on Windows 10, and you're getting the "x509: certificate signed by unknown authority" error, you can try this:

  1. Run Docker for Windows.
  2. After some time, you'll see the docker icon in the Windows notification area (bottom right)enter image description here
  3. Right-click the icon and select "Settings..."
  4. The settings window will open. Select "Docker Daemon" on the left.
  5. Add your private registry to the "insecure-registries" collection in the textbox that shows the configuration in JSON format. Then click "Apply". enter image description here
Paulo Merson
  • 13,270
  • 8
  • 79
  • 72