Search code examples
dockerboot2docker

How to ignore certificate errors in Boot2Docker on windows

I have boot2docker 1.4.1 running on windows via virtualbox. I am behind a proxy that MITMs https certificates. I configured proxy by adding the following lines in /var/lib/boot2docker/profile:

export HTTP_PROXY=<proxyhost>:80
export HTTPS_PROXY=<proxyhost>:80
DOCKER_TLS=no
EXTRA_ARGS="--insecure-registry index.docker.io"

however when I run docker@boot2docker:~$ docker run hello-world I get

Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0006] Get https://index.docker.io/v1/repositories/library/hello-world/images
: x509: certificate signed by unknown authority

Please help me figure out the correct way to ignore certificate errors. Thanks!

Solution

  • Edit Looks like the new docker only works on certain flavors of Windows 10. If you are still stuck on Windows 7, I have updated the below to reflect the steps I had to go through to correct the 'self signed certificate in certificate chain' error when I installed the latest version of docker-toolbox (Docker 1.11.2).

    Finally got this working on Windows 7 following the answers here: https://github.com/boot2docker/boot2docker/issues/347

    Check that this is your issue by running openssl s_client -showcerts:

    docker@boot2docker:~$ openssl s_client -showcerts -CApath . -connect index.docker.io:443

    (Edit: removed 32 from -showcerts and corrected host name)

    In the certificate chain, you'll see the proxy has inserted itself and the verify returns an error something like this 

    Verify return code: 19 (self signed certificate in certificate chain)

    If you have the same problem then give the steps below a try :

    1. First, save the certificate you need. Here are the steps to use in Firefox similar to https://stackoverflow.com/a/6966818/1981358 (Chrome and IE should also work using the Certificate Export Wizard; Note: on Windows, the PEM certificate encoding is called Base-64 encoded X.509 (.CER)):
      • In Firefox, go to https://hub.docker.com/
      • Click on the lock icon on the address bar to display the certificate
      • Click through "More Information" -> "Security" -> "View Certificate" --> "Details"
      • Select each node in the hierarchy beginning with the uppermost one, and click on "Export" and "Save" (select the X.509 Certificate (PEM) format)
      • Save the above files somewhere in your local drive, change the extension to .pem and move them to your user folder (or any other location accessible from ssh)
    2. Create a folder to hold the cert(s):docker@boot2docker:~$ sudo mkdir /var/lib/boot2docker/certs/
    3. Copy the cert files(s) to that location: docker@boot2docker:~$ sudo cp /c/Users/<username>/<folder>/<proxy-cert>.pem /var/lib/boot2docker/certs/
    4. Create the file /var/lib/boot2docker/bootlocal.sh and include the source from https://gist.github.com/irgeek/afb2e05775fff532f960 (I just created the file in Windows using Notepad++ and copied it to the correct location similar to the above step)
    5. Exit ssh and restart: C:\>docker-machine restart
    6. Open the shell docker-machine ssh and verify the changes worked: docker run hello-world

    You should see output which contains something like:

    Hello from Docker.
This message shows that your installation appears to be working correctly.