Docker on Windows (Boot2Docker) - certificate signed by unknown authority error
Solution 1
This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn't until today been able to work out a solution for Docker. The trick is to add the certificates to Docker's cert store and have them persist. This is accomplished by using a bootlocal.sh
script that executes every time the machine starts.
I assume if you've already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you've already done #1 and #2 by way of previous attempts.
Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER format and do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem and skip step #2.
-
Once you have them saved to a known location, you will want to convert them to PEM format unless you save as duch. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you'll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:\Users\my.username\certs and copied them there.
-
This step may not be strictly necessary, but it's what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.
MINGW64:$ docker-machine ssh default docker@default:~$ sudo -s root@default:/home/docker# mkdir /var/lib/boot2docker/certs root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
-
Now it's time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven't already, open an SSH connection to the machine, per Step 4.
touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh vi /var/lib/boot2docker/bootlocal.sh
Insert the following and save the file:
#!/bin/sh mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d
-
Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:
docker-machine restart default
Now you should be able to run 'hello-world' and others. I hope this helps.
Sources
[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem
[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043
Solution 2
A way to do it With Firefox, go to url: https://auth.docker.io/token?scope=repository%3Alibrary%2Fhello-world%3Apull&service=registry.docker.io, click view details for the certificate and extract it as crt.
Copy the file to VM where the os stores the crt:
CentOS
etc/pki/ca-trust/source/anchors/
# Then run
update-ca-trust force-enable
update-ca-trust extract
Ubuntu
/usr/share/ca-certificates
#Then run
sudo dpkg-reconfigure ca-certificates
Reboot docker, and it should work
codependent
By day: I code for 8 hours and a half. Cloud, Kubernetes, Spring, NodeJS... By night: I code a little more, work out and try to get some sleep.
Updated on May 04, 2020Comments
-
codependent about 4 years
I am running Docker on Windows (boot2docker + Oracle Virtual Box). In my corporate environment they modify the certificates so that the CAs are the company's self signed CA's. Thus, the chain ends up like this:
Company's CA |__ Company's Intermediate CA |__ Docker Certificate
When I try to run any command, such as:
docker run hello-world
I get this error:
Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority
I have found several answers to this problem but always for Linux environments. How can I workaround this problem in Windows?
-
Marco about 6 yearsIn addition to the above steps, I had to download the certificate from
"https://registry-1.docker.io/v2/"
, convert to*.pem
and copied to/etc/docker/certs.d
, only then it worked! But these steps helped me a lot figuring this out. -
yohosuff almost 6 yearsIf you want an easier time pasting these commands, enable "QuickEdit Mode" in MINGW64 (right-click title bar > Options > QuickEdit Mode). stackoverflow.com/a/16363972/1455558
-
Jaywalker over 5 years+1 What I would like to add is that you can look at the log files in /var/log as
bootlocal.log
,boot2docker.log
anddocker.log
provide good details of what's happening behind the scenes to help you troubleshoot. -
Junaid Khan almost 5 yearsThis worked for me like a charm, I wasn't able to do the "docker pull selenium/hub" after all this, I am now able to do all this good stuff. I had ZScaler certificates.
-
Karthick Jayaraman almost 4 yearsUbuntu solution works like charm. Was stuck for the whole day with this issue. Thanks a lot