x509: certificate is valid for *.xyz.net, not docker.abc.xyz.net

Question

I am trying to login to a company's private docker repository. When I try to login with:

docker login docker.abc.xyz.net

it returns only this error:

Error response from daemon: Get https://docker.abc.xyz.net/v1/users/: x509:  certificate is valid for *.xyz.net, xyg.net, not docker.abc.xyz.net

We have a ca.cert, which I have put at the following location:

/Users/myName/etc/docker/certs.d/docker.abc.xyz.net/ca.cert

I also tried putting it here:

/private/etc/docker/certs.d/docker.abc.xyz.net/ca.cert

and finally used this command to try to get keychain access for the cert:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt

I even gave full access to the cert to see if that would be picked up. I have tried restarting docker as well, but nothing is accepting my certificate. Does anyone else have any ideas what might be preventing the login attempt on Docker Mac?

--------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6c:ac:dd:00:bf:96:38:c3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ON DWCC Unclass Testing CA-1
        Validity
            Not Before: Jun  6 19:40:49 2016 GMT
            Not After : Jun  6 19:40:49 2018 GMT
        Subject: C=US, O=Navy, OU=ONI, CN=docker.abc.xyz.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:docker.abc.xyz.net
    Signature Algorithm: sha256WithRSAEncryption

Please see http://stackoverflow.com/help/formatting. I've tried to fix things up here enough to make the question readable, but ideally questions should at least meet that bar when first asked. — Charles Duffy, Dec 22 '16 at 18:22

score 11 · Answer 1 · edited Oct 07 '21 at 05:51

11

This is actually correct, standards-compliant behavior. A *.xyz.net wildcard certificate is valid for abc.xyz.net or docker.xyz.net, but not docker.abc.xyz.net.

Quoting the answer to a question directly focused on this topic, in turn quoting RFC 2818:

Matching is performed using the matching rules specified by RFC2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Consider adding an appropriate SubjectAltName to your certificate, if you can't regenerate it altogether.

edited Oct 07 '21 at 05:51

Community

1
1

answered Dec 22 '16 at 18:23

Charles Duffy

280,126
43
390
441

I know the matcher is only on the front part of that, and i am discussing that with our tech. But others have been able to get this cert to work, but me on my mac can't. I tried http://container-solutions.com/adding-self-signed-registry-certs-docker-mac/ but it still isn't working. Was coming on here to see if there may be something mac related to docker. – tcoulson Dec 22 '16 at 18:51
1

Different SSL client libraries have different levels of compliance with the relevant RFCs -- some of them allow wildcards to recurse, but *those that do are buggy*. Docker, and the SSL library it's using on your Mac, are doing the Right Thing here, and whichever platform/software accepts that certificate for a 2nd-level wildcard is buggy. – Charles Duffy Dec 22 '16 at 18:52
Anyhow, if you're having a different problem with a different certificate, that would be... well... a *different problem*, deserving its own question if not already answered somewhere else. – Charles Duffy Dec 22 '16 at 18:54
our tech said the certificate was set specifically for https://docker.abc.xyz.net/ so I am not sure why it thinks I am looking for *.xyz.net/? – tcoulson Dec 22 '16 at 20:38
@tcoulson, the error message makes it very clear what the issue at hand is. I couldn't accept what your tech is claiming to you as true without being shown supporting evidence (for example, output from `openssl x509 -in yourcert.crt -noout -text`). – Charles Duffy Dec 22 '16 at 21:59
I added in the text you asked for. – tcoulson Dec 23 '16 at 15:03
The certificate you gave doesn't match up with the error message -- the error message is specific to wildcard certs, and the certificate given isn't a wildcard cert at all. I'd suggest investigating whether the cert actually being used is the one you think it is, *or* if the error message is still an exact match for the one given in your question. – Charles Duffy Dec 23 '16 at 17:30

x509: certificate is valid for *.xyz.net, not docker.abc.xyz.net

1 Answers1

Linked