The docker documentation here describes how to configure docker in order to connect to a registry that requires a client certificate. Under Ubuntu it works: I place the client.crt and client.key files into the folder /etc/docker/certs.d/<myregistry>/ as stated by the documentation ... and it works.
Unfortunately, there is no specific documentation how to configure docker under windows (wsl backend) to achieve the same result... and I stuck... I performed following attempts:
Imported the private key and certificate into the windows certificate manager, restarted docker
added the cert and key files into the docker-desktop wsl file system in /etc/docker/certs.d/<myregistry>/, restarted docker...
added the cert and key files into the docker-desktop-data wsl file system in /etc/docker/certs.d/<myregistry>/, restarted docker
added the cert and key files into the docker-desktop wsl file system in /root/.docker/certs.d/<myregistry>/, restarted docker
added the cert and key files into the docker-desktop-data wsl file system in /root/.docker/certs.d/<myregistry>/, restarted docker
I always get the same result:
PS C:\> docker login -u <remote_user> <myregistry>
Password:
Error response from daemon: login attempt to https://<myregistry>/v2/ failed with status: 400 Bad Request
Any Idea?
I found it! You need to place the cert and key files into the C:\Users\<user>\.docker\certs.d\<mysite>\ as follows:
C:\Users\<user>\.docker\certs.d\<mysite>\client.cert
C:\Users\<user>\.docker\certs.d\<mysite>\client.key
Docker must be restarted and after that, the login with the command docker login <mysite> does not fail anymore.
I have set-up or have been provided with an secured URL (HTTPS) to a remote Docker registry. I need to perform docker login into the remote registry in order to be able to push my locally built Docker images.
The command would be something like:
docker login -u myUser https://registry.mydomain.example.com
However, docker login fails with x509 certificate verification error like:
Error response from daemon: Get https://registry.mydomain.example.com/v2/: x509: certificate signed by unknown authority
I'm using macOS / OS X, how can I get my local Docker (Docker client) to accept remote repository's TLS certificate for HTTPS traffic?
Also, once the secure HTTPS connection works, how do I build and push my image to the remote repository, after I've written the Dockerfile and tested locally that my image works?
Unlike the Docker documentation's link regarding this matter specifically mentions, the Linux/Unix instructions work for macOS / OS X as well:
https://docs.docker.com/engine/security/certificates/
I got below instructions working with MacBook Pro using macOs High Sierra 10.13.5 (17F77)
Docker client (local Docker) version: 18.03.1-ce
Place the Certificate Authority (CA) file, provided by the remote registry admin, into the specific folder structure via terminal commands:
sudo mkdir -p /etc/docker/certs.d/registry.mydomain.example.com
sudo cp ca.crt /etc/docker/certs.d/registry.mydomain.example.com
Note: If you are using URL with port to connect to the registry, the port needs to be included in the foldername under certs.d folder. The URL can also be in the form of IP:
sudo mkdir -p /etc/docker/certs.d/registry.mydomain.example.com:443
sudo mkdir -p /etc/docker/certs.d/172.123.123.1:443
EDIT TO ADD!
I tested this with a co-worker and it was discovered that addition of the CA file into macOS Keychain was required (I had also done this previously). It is currently unknown if the above /etc/docker steps are even required on Mac. We used this guide to import ca.crt file into the Keychain (visible as "not trusted" at Certificates menu).
https://www.sslsupportdesk.com/how-to-import-a-certificate-into-mac-os/
Afterwards, restart your local Docker.
Docker login should work normally afterwards. If you still keep getting the x509 unknown authority error, it might be a good idea to verify the remote registry's server certificate's (obtainable e.g. by navigating to the registry's URL with browser) validity against the CA file, using openssl commands:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Below is an example if working with OpenShift integrated (Atomic) registry:
oc login https://registry.mydomain.example.com -u myUser --certificate-authority=ca.crt
docker login -u $(oc whoami) -p $(oc whoami -t) https://registry.mydomain.example.com
You should get a prompt that Login Succeeded, then:
docker build -t registry.mydomain.example.com/openshiftProject/my-image:1.0 .
docker push registry.mydomain.example.com/openshiftProject/my-image:1.0
BrowserStackLocal gives Error: Could not connect to www.browserstack.com!
I am trying to use Charles Proxy with BrowserStackLocal. I want to use Rewrite feature of Charles Proxy. Both Charles Proxy and BrowserStackLocal are running on same Mac Laptop.
I am getting following error. Has anybody run into this problem?
$ ./BrowserStackLocal myKey -proxyHost 192.168.160.113 -proxyPort 8888 -force -forcelocal
BrowserStackLocal v5.5
*** Error: Could not connect to www.browserstack.com!
Configuration Options:
-v
Provides verbose logging
-f
If you want to test local folder rather internal server
-h
Prints this help
-version
Displays the version
-force
Kill other running Browserstack Local
-only
Restricts Local Testing access to specified local servers and/or folders
-forcelocal
Route all traffic via local machine
-onlyAutomate
Disable Live Testing and Screenshots, just test Automate
-proxyHost HOST
Hostname/IP of proxy, remaining proxy options are ignored if this option is absent
-proxyPort PORT
Port for the proxy, defaults to 3128 when -proxyHost is used
-proxyUser USERNAME
Username for connecting to proxy (Basic Auth Only)
-proxyPass PASSWORD
Password for USERNAME, will be ignored if USERNAME is empty or not specified
-localIdentifier SOME_STRING
If doing simultaneous multiple local testing connections, set this uniquely for different processes
To test an internal server, run:
./BrowserStackLocal <KEY>
Example:
./BrowserStackLocal DsVSdoJPBi2z44sbGFx1
To test HTML files, run:
./BrowserStackLocal -f <KEY> <full path to local folder>
Example:
./BrowserStackLocal -f DsVSdoJPBi2z44sbGFx1 /Applications/MAMP/htdocs/example/
View more configuration options at http://www.browserstack.com/local-testing
Charles Proxy generates its own certificates which is signed by 'Charles Root Certificate'. It seems Charles Proxy is modifying the certificate used by BrowserStackLocal due to which the request to BrowserStack fails and you receive "Could not connect to www.browserstack.com!". More information on SSL-Certificates and Charles is available here.
Can you disable this setting in Charles? This will allow BrowserStackLocal use its original certificate and connect to BrowserStack.
I disabled the SSL proxying in Charles Proxy and turned SOCKS . That solved the problem.
PuTTY fatal error:
No supported authentication methods available
When I tried to login into the production server, I am getting above error. Could anyone help me to fix this?
Edit file
sudo vi /etc/ssh/sshd_config
Set PasswordAuthentication yes
Then restart server
sudo service ssh restart
sudo service sshd restart
It worked for me after I did the following steps :
1- Download Puttygen (https://www.puttygen.com/download-putty)
2- Open PUttyGen and then Load the private key from :
C:\Users[username]\Chapter6.vagrant\machines\default\virtualbox
3- save the new private key with a new name.
4- Open Putty, go to Connection > SSH > Auth > and add the new private key
5- Connect now using 127.0.0.1 and 2222
I think your private key file format is not compatible with putty for putty uses its' native format instead.
Detail:http://tartarus.org/~simon/putty-snapshots/htmldoc/Chapter10.html#errors-no-auth
If you are using cloud service and trying to connect server using ssh then Don't login the user name as ec2-user, the default user name is ubuntu forubuntu server.
This error can also be seen if you haven’t selected the .ppk file for the session in Putty: Connection > SSH > Auth
You’re done if you’ve employed PuttyGen to generate the keys. Else import the private key to your .ppk file as others have instructed.
Note on Linux as opposed to Windows, puttygen is accessed only via the command line. Here’s some resources for that:
https://the.earth.li/~sgtatham/putty/0.76/htmldoc/Chapter8.html#pubkey
http://manpages.ubuntu.com/manpages/bionic/man1/puttygen.1.html
https://www.ssh.com/academy/ssh/putty/linux/puttygen
In my case, I updated the Putty application to the latest and issue was solved.
Do you still have access to the server (maybe an open shell?) Check /var/log/messages for more details. This could have something to do with your PAM configuration.
Did you change folder permissions? i met this question in this week, so i find the error that is cause to me change the folder(name is ec2-user) permission.
1.Edit the /etc/ssh/sshd_config file.
2.Change PasswordAuthentication and ChallengeResponseAuthentication to yes.
3a. Restart ssh /etc/init.d/ssh restart.
OR
3b. better you use service sshd restart
If you've saved your public key on an external drive and it's not connected, putty will throw this error when connecting to your remote server.
Solved via Puttygen
I was on a windows system and it doesnt support direct shell access like linux or macOS.
Download Puttygen.
Load the .pem key to puttygen
Save as Private key
Use this key to login to ec2 instance
P.S : Also if the SSH ask for login/username - enter ubuntu or admin
Download Puttygen
Load the .pem key to puttygen
convert .pem file to .ppk
Save as Private key
Install/Open Putty >> puTTY Configuration >> Auth >> Browse >> path to .ppk file
Use this key to login to ec2 instance (check that IP of remote server is allowed in security group config of EC2 instance)
Username
The usual user names are ec2-user, ubuntu, centos, root, or admin
If that server is in the cloud like AWS, the rookie mistake I did was not realizing that a new Public IPv4 DNS gets used when the instance was off for some time. So, check the new DNS
Today I faced the same problem. So in putty you have to use "user name" of your EC2 instance
to get your "user name" of your EC2 instance
Select EC2 instance
select Connect
Now go to putty use ec2_name#public address
To see your public address
select EC2
under details you will be able to see your public address.
Now try loading your "ppk" file you will be able to log in.
For Digital Ocean, we should enable password authentication first.
The complete instruction is here: https://docs.digitalocean.com/support/i-lost-the-ssh-key-for-my-droplet/#enable-password-authentication
Log in to the Droplet via the Recovery Console
Even though you have a root password for the Droplet, if you try to log in via SSH using that password immediately, you’ll receive a Permission denied (publickey) error. This is because password authentication is still disabled on the Droplet. To fix this, you need to log in via the Recovery Console and update its SSH configuration.
There are detailed instructions on how to connect to Droplets with the
Recovery Console for a more explicit walkthrough, but here’s a brief
summary:
On the Droplet’s detail page, in the same Access tab, click the Launch
Console button.
At the login prompt, enter root as the username.
At the subsequent password prompt, enter the root password you were
sent via email. Most distributions prompt you to enter the password
twice, but some (like Fedora 27) do not.
Enter a new root password to replace the one that was emailed to you,
then enter that same new password again.
You will now be logged in as root in the Recovery Console, which gives
you access to the Droplet’s SSH configuration.
Enable Password Authentication To enable password authentication on
your Droplet, you need to modify a line in its SSH config file, which
is /etc/ssh/sshd_config.
Open /etc/ssh/sshd_config using your preferred text editor, like nano
or vim. Find the line that reads PasswordAuthentication no line and
change it to PasswordAuthentication yes, then save and exit the file.
Because the SSH daemon only reads its configuration files when it’s
first starting, you need to restart it for these changes to take
effect. The command to do this depends on your operating system:
Operating System SSH Restart Command
Ubuntu 14.x service ssh restart
Ubuntu 15.4 and up systemctl restart ssh
Debian systemctl restart ssh
CentOS 6 service sshd restart
CentOS 7 systemctl restart sshd
Fedora systemctl restart sshd\
I've just successfully built SparkleShare for windows according to guide:
https://github.com/wimh/SparkleShare/wiki
and exported my ssh public key to a server.
The problem is that I can't connect from a client behind a http_proxy to a public server with ssh running on a custom port. I had also problem with cloning any git server. I need to switch git:// protocol to http:// one. Any suggestion? Does anyone have similar experience?
This is a log file:
15:25:13 [SSH] ssh-agent started, PID=4380 Identity added:
C:\Users\MYUSER\AppData\Roaming\sparkleshare\sparkleshare.MYEMAIL.key
(C:\Users\sg0922706\AppData\Roaming\sparkleshare\sparkleshare.MYEMAIL.key)
15:25:34 [Fetcher][C:\Users\MYUSER\Documents\SparkleShare.tmp\share]
Fetchin g folder: ssh://MYGITUSER#MYHOST/MYPATH 15:25:34 [Fetcher]
Disabled host key checking MYHOST 15:25:34 [Cmd] git clone --progress
"ssh://MYGITUSER#MYHOST/MYPATH" "C:\Us
ers\MYUSER\Documents\SparkleShare.tmp\share" 15:25:37 [Git] Exit code
128 15:25:37 [Fetcher] Failed 15:25:37 [Fetcher] Enabled host key
checking for MYHOST
To get SparkleShare to use your proxy you will need to modify the config of the msysgit that is installed as part of SparkleShare. Navigate to C:\Program Files (x86)\SparkleShare\msysgit\etc and edit the gitconfig file in notepad and add the following line under the [http] tag
proxy = http://user:pass#proxyurl:port
modifying the url as required to match your settings. You can then use the "On my own server" option to add the http url of your repository.
I have a work around on this particular problem. I guess that you already successfully connected to your server via a simple SSH client (i.e. PuTTY)? With PuTTY you can easily configure an ssh connection via any kind of proxy (such as HTTP, SOCKS, Telnet, ..)
What you can do now is to specify a local "tunnel" (an SSH port forwarding rule) like this: L22 127.0.01:22 (see attachment). If you are using a ssh command line add the following option: -L 22:127.0.01:22.
So now as soon as your terminal is open and running you'll be able to reach your git server via the server url: ssh://git#127.0.0.1.
If your local port 22 is busy you can define the tunnet on a other port. i.e. if the 44 is not occupied: L44 127.0.0.1:22. The url to use in SparkleShare become ssh://git#127.0.0.1:44.
But it's a work around. I'm looking for a better solution.