Docker behind proxy that changes ssl certificate

Question

I am trying to run the following docker command:

docker run -i -t ubuntu /bin/bash

But I get the error:

Unable to find image 'ubuntu' (tag: latest) locally

Pulling repository ubuntu
2013/11/28 14:00:24 Get https://index.docker.io/v1/images/ubuntu/ancestry: x509: certificate signed by unknown authority

I know that our company replaces the SSL Certificate on the fly for https requests.

I tried to trust our company's CA certificate by putting it in:

 /etc/pki/tls/certs/ca-bundle.crt

and

/etc/pki/tls/cert.pem

But it is still not working.

Any ideas?

Answer 1

To configure docker to work with a proxy system you first need to add the HTTPS_PROXY / HTTP_PROXY environment variable to the docker sysconfig file. However depending on if you use init.d or the services tool you need to add the "export" statement. As a workaround you can simply add both variants in the sysconfig file of docker:

/etc/sysconfig/docker

HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"

To get docker working with ssl intercepting proxies you have to add the proxy root certificate to the systems trust store.

For CentOS copy the file to /etc/pki/ca-trust/source/anchors/ and update the ca trust store. Restart the docker service afterwards. If your proxy uses NTLM authentication - it's necessary to use intermediate proxies like cntlm. This blog post explains it in detail

Answer 2

@jpetazzo's answer is overall correct, however there is a nicer way to do the same thing (without manually editing a ca-bundle file):

• on CentOS:

  sudo cp yourcert.crt /etc/pki/ca-trust/source/anchors/
  sudo update-ca-trust extract
  sudo service docker restart
  

• on Debian:

  sudo cp yourcert.crt /usr/local/share/ca-certificates/
  sudo update-ca-certificates
  sudo service docker restart
  

Note that restarting docker daemon is necessary!

Answer 3

According to http://golang.org/src/pkg/crypto/x509/root_unix.go, you should append your certificate to one of the following:

• /etc/ssl/certs/ca-certificates.crt
• /etc/pki/tls/certs/ca-bundle.crt
• /etc/ssl/ca-bundle.pem
• /etc/ssl/cert.pem
• /usr/local/share/certs/ca-root-nss.crt

Find the one that exists on your system, and append your certificate to it.

(And be ready to do it again when you upgrade the package containing that file...)

I hope there is a better method, but this is the only one I found so far :-)