I have set-up or have been provided with an secured URL (HTTPS) to a remote Docker registry. I need to perform docker login into the remote registry in order to be able to push my locally built Docker images.
The command would be something like:
docker login -u myUser https://registry.mydomain.example.com
However, docker login fails with x509 certificate verification error like:
Error response from daemon: Get https://registry.mydomain.example.com/v2/: x509: certificate signed by unknown authority
I'm using macOS / OS X, how can I get my local Docker (Docker client) to accept remote repository's TLS certificate for HTTPS traffic?
Also, once the secure HTTPS connection works, how do I build and push my image to the remote repository, after I've written the Dockerfile and tested locally that my image works?
Unlike the Docker documentation's link regarding this matter specifically mentions, the Linux/Unix instructions work for macOS / OS X as well:
https://docs.docker.com/engine/security/certificates/
I got below instructions working with MacBook Pro using macOs High Sierra 10.13.5 (17F77)
Docker client (local Docker) version: 18.03.1-ce
Place the Certificate Authority (CA) file, provided by the remote registry admin, into the specific folder structure via terminal commands:
sudo mkdir -p /etc/docker/certs.d/registry.mydomain.example.com
sudo cp ca.crt /etc/docker/certs.d/registry.mydomain.example.com
Note: If you are using URL with port to connect to the registry, the port needs to be included in the foldername under certs.d folder. The URL can also be in the form of IP:
sudo mkdir -p /etc/docker/certs.d/registry.mydomain.example.com:443
sudo mkdir -p /etc/docker/certs.d/172.123.123.1:443
EDIT TO ADD!
I tested this with a co-worker and it was discovered that addition of the CA file into macOS Keychain was required (I had also done this previously). It is currently unknown if the above /etc/docker steps are even required on Mac. We used this guide to import ca.crt file into the Keychain (visible as "not trusted" at Certificates menu).
https://www.sslsupportdesk.com/how-to-import-a-certificate-into-mac-os/
Afterwards, restart your local Docker.
Docker login should work normally afterwards. If you still keep getting the x509 unknown authority error, it might be a good idea to verify the remote registry's server certificate's (obtainable e.g. by navigating to the registry's URL with browser) validity against the CA file, using openssl commands:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Below is an example if working with OpenShift integrated (Atomic) registry:
oc login https://registry.mydomain.example.com -u myUser --certificate-authority=ca.crt
docker login -u $(oc whoami) -p $(oc whoami -t) https://registry.mydomain.example.com
You should get a prompt that Login Succeeded, then:
docker build -t registry.mydomain.example.com/openshiftProject/my-image:1.0 .
docker push registry.mydomain.example.com/openshiftProject/my-image:1.0
Related
The docker documentation here describes how to configure docker in order to connect to a registry that requires a client certificate. Under Ubuntu it works: I place the client.crt and client.key files into the folder /etc/docker/certs.d/<myregistry>/ as stated by the documentation ... and it works.
Unfortunately, there is no specific documentation how to configure docker under windows (wsl backend) to achieve the same result... and I stuck... I performed following attempts:
Imported the private key and certificate into the windows certificate manager, restarted docker
added the cert and key files into the docker-desktop wsl file system in /etc/docker/certs.d/<myregistry>/, restarted docker...
added the cert and key files into the docker-desktop-data wsl file system in /etc/docker/certs.d/<myregistry>/, restarted docker
added the cert and key files into the docker-desktop wsl file system in /root/.docker/certs.d/<myregistry>/, restarted docker
added the cert and key files into the docker-desktop-data wsl file system in /root/.docker/certs.d/<myregistry>/, restarted docker
I always get the same result:
PS C:\> docker login -u <remote_user> <myregistry>
Password:
Error response from daemon: login attempt to https://<myregistry>/v2/ failed with status: 400 Bad Request
Any Idea?
I found it! You need to place the cert and key files into the C:\Users\<user>\.docker\certs.d\<mysite>\ as follows:
C:\Users\<user>\.docker\certs.d\<mysite>\client.cert
C:\Users\<user>\.docker\certs.d\<mysite>\client.key
Docker must be restarted and after that, the login with the command docker login <mysite> does not fail anymore.
We have a superset docker containers which is using keycloak as identity broker. All this setup is working fine on http. Further, we have installed ssl certificate on keycloak and same is also working fine. Our superset and keycloak integration code changes look exactly like its mentioned in the answer here.
Now, when we changed auth uris from http to https in superset/docker/pythonpath_dev/client_secret.json, we are getting below error after the login flow is redirected from keycloak to superset.
Forbidden
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'
We also tried installing root certificates on superset by mounting them on /usr/local/share/ca-certificates and then executing update-ca-certificates in the container, but still there was no help. Any idea how this can be resolved?
Thanks #sventorben for the tip. Indeed it was python which was not able to read my ca files. Since I am new to this, I would detail out all the steps followed. However, some of these steps might be redundant.
After I received my root as well intermediary CA files, I first converted them to PEM format as they were in DER format using openssl.
openssl x509 -inform DER -in myintermediary.cer -out myintermediary.crt
openssl x509 -inform DER -in myroot.cer -out myroot.crt
Then, I mounted these files to my superset container at path /usr/local/share/ca-certificates/
Then, I logged into my container and executed update-ca-certificates command and verified that 2 new pem files got added at /etc/ss/certs/ path i.e. myroot.pem and intermediary.pem.
Then, I added these CA files to python certifi inside my container. To find out the path of cacert.pem, I executed below commands into python terminal.
import certifi
certifi.where()
exit()
Here, second command gave me the path of cacert.pem which was like /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem.
After this, i appended my ca files at the end of cacert.pem
cat /etc/ssl/certs/myroot.pem /etc/ssl/certs/intermediary.pem >> /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem
In the end i logged out of my container and restarted it.
docker-compose stop
docker-compose up -d
Note:
I feel step 3 is redundant as python does not read CA files from there. However, i still did it and I am in no mood of reverting and test it out again.
Also, this was my temporary fix as executing the commands inside the container is not useful as they are ephermal.
Update:
Below are the steps followed for production deployment.
Convert root certificates in PEM format using openssl.
Concat both PEM files into a new PEM file which will be installed as bundle. Lets say, the new PEM file is mycacert.pem and same is mounted at /app/docker/.
Create one sh file called start.sh and write 2 commands as below.
cat /app/docker/mycacert.pem >> /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem
gunicorn --bind 0.0.0.0:8088 --access-logfile - --error-logfile - --workers 5 --worker-class gthread --threads 4 --timeout 200 --limit-request-line 4094 --limit-request-field_size 8190 'superset.app:create_app()'
Modify docker-compose.yml and change command as below.
command: ["/app/docker/start.sh"]
Restart superset container.
docker-compose stop
docker-compose up -d
I was wondering if Xcode support remote signing. This means signing my app with certificate that reside in keychain file that is located in remote machine.
Currently I use the run script option and copy my application to remote location, sign it and copy it back. The connection to the remote machine should be made without password using ssl authentication (which I've done once prior to the compilation phase). the script look like this :
1. scp <my_target> <user>#<server>:
2. /tmp/ssh <user>#<server> 'security unlock-keychain -p <password> \
<home>/Library/Keychains/login.keychain; codesign -f -s " \
<my_signature>" /tmp/<my_target>'
3. scp <user>#<server>:/tmp/<my_target> .
My question is whether Xcode have such remote signing capabilities, that replace my script.
My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.
I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:
orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)
My issue, on the surface, appears to be very much like the one answered in this question. However, the accepted answer in that question does not work for me, since the root_unix.go file they discuss does not get invoked on a Mac. (From browsing around, I would guess that root_cgo_darwin.go and/or root_darwin.go would be involved instead.)
That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a *.cer file that I believe to be the one that I need, but I'm at a loss as to what to do with it.
I'm hoping that someone can point me in the right direction.
Edit: I thought that maybe I needed to to something akin to what this page suggests, to add the certificate. Alas, my attempt at following those instructions failed in the following way:
orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer"
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer
Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.
Alas, this did not alleviate the ultimate symptom:
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
According to the boot2docker README
Insecure Registry
As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.
$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.
The source of http://golang.org/src/crypto/x509/root_darwin.go shows that the command:
cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
is used to find the certificate.
Try adding the .cer file into the OSX certificate key-chain.
If you use the docker-machine
edit $USER/.docker/machine/machines/default/config.json
"EngineOptions": {
"InsecureRegistry": [
"XXX.XXX.virtual"
],
}
I need to modify the docker daemon'a arguments in OSX.
I got an error when pull a private repository without certificate.
2014/11/11 13:40:02 Error: Invalid registry endpoint
https://registry.af-sys.com/v1/: Get
https://registry.af-sys.com/v1/_ping: dial tcp 54.229.102.95:443: i/o
timeout. If this private registry supports only HTTP or HTTPS with an
unknown CA certificate, please add --insecure-registry
registry.af-sys.com to the daemon's arguments. In the case of HTTPS,
if you have access to the registry's CA certificate, no need for the
flag; simply place the CA certificate at
/etc/docker/certs.d/registry.af-sys.com/ca.crt
According to this message I should modify the daemon arguments. How can I do that?
Following Bryan's note, I added the following to the boot2docker profile:
boot2docker ssh -t sudo vi /var/lib/boot2docker/profile
# Insecure Registry
EXTRA_ARGS="--insecure-registry registry.af-sys.com"
boot2docker restart
If you're running Docker for Mac, you can set up some arguments in the UI Preferences:
For example:
add Insecure registries
add Registry mirrors
change the HTTP proxy settings