I have created a private docker registry which is fronted by NGINX. NGINX is where the ssl terminates.
I am obfuscating my domain by using my-domain.com for the purpose of this question.
I am using OSX 10.10.3 which has boot2docker installed. But it should be noted that the workflow of Vagrant + CoreOS + Docker shouldn't involve boot2docker since I am having issues within the VM(CoreOS) and not the Host(OSX).
I am using Vagrant to spin up a local CoreOS VM from this box. I then ssh into an instance of that VM and attempt to issue the following command
$ docker login docker.my-domain.com
I am then prompted for my username, password, email as expected; and I supply my details.
Note: I am able to issue the above command in the Host OS (OSX) as expected and able to successfully login (generates the ~/.dockercfg file).
I get the following error:
FATA[0008] Error response from daemon: v1 ping attempt failed with error: Get https://docker.my-domain.com/v1/_ping:
x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to
verify candidate authority certificate "*.my-domain.com"). If this private registry supports only HTTP or HTTPS
with an unknown CA certificate, please add `--insecure-registry docker.my-domain.com` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/docker.my-domain.com/ca.crt
I have copied over my ca.crt from my self signing. I can confirm that CoreOS is able to connect properly to my server over SSL. I ran this command
openssl s_client -CAfile /etc/docker/certs.d/docker.my-domain.com/ca.crt -connect docker.my-domain.com:443
And I get the expected 'Verify return code: 0 (ok)'. This leads me to believe its docker that seems to be having a problem.
$ docker version (from within CoreOS VM)
Client version: 1.6.1-rc2
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 17f157d-dirty
OS/Arch (client): linux/amd64
Server version: 1.6.1-rc2
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 17f157d-dirty
OS/Arch (server): linux/amd64
After all this, I am not sure what I need to try next. Any and all help is appreciated!
This turned out to be a two part issue. The first issue was that when I placed the certificate file(ca.crt) in the relative /etc/ssl/certs/ folder, I didn't rename the original file with the .pem extension. This meant that when I ran the the update-ca-certificates to install my custom certificate on the client machine, it wasn't getting recognized. This was hiding the second and main issue.
I wasn't using the correct certificate file. Once I used the correct certificate file, and I renamed the file to have the .pem extension I ran update-ca-certificates and then issued the login command and it worked.
I assume I mush have installed the correct version of the cert correctly on my host OSX machine, which is why it worked there but not in the VM.