Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After upgrade to 17.12.0-ce-win46, SSL cert errors trying to connect to private registry #1512

Closed
philsttr opened this issue Jan 10, 2018 · 17 comments
Closed

After upgrade to 17.12.0-ce-win46, SSL cert errors trying to connect to private registry #1512

philsttr opened this issue Jan 10, 2018 · 17 comments
Labels
lifecycle/locked lifecycle/stale

Comments

@philsttr
Copy link

Expected behavior

Able to securely connect to private docker registry whose certificate is signed by an Internal CA, whose certificate is in the windows trust store.

Actual behavior

After upgrading to Docker Community Edition 17.12.0-ce-win46 2018-01-09 (Stable), docker for windows is no longer able to securely connect to my company's internal docker registry.

The error received is

Get https://<redacted>.com/v2/: x509: certificate signed by unknown authority

The internal docker registry's certificate is signed by my company's internal CA. This CA certificate is in Window's trust store.

This worked with the previous version of Docker for Windows... Docker Community Edition 17.09.1-ce-win42 2017-12-11 (Stable)

Information

Diagnostic ID: 5EC10184-B19E-4741-8B82-1F9302111D64/2018-01-09_17-37-39

Windows 10 Version 1607 (OS Build 14393.1884)

Steps to reproduce the behavior

  1. Install 17.09.1-ce-win42
  2. Add trusted CA certificate to window's trust store
  3. Attempt to pull an image from a secure private registry whose ssl cert is signed by the above CA cert
  4. Ensure pull works
  5. Upgrade to 17.12.0-ce-win46
  6. Attempt to pull an image from a secure private registry whose ssl cert is signed by the above CA cert
  7. Notice the pull fails with 'certificate signed by unknown authority' error
@Tibrim
Copy link

Tibrim commented Jan 10, 2018

+1 Seeing this behavior after upgrading to 17.12.0-ce-win46

@ethnchao
Copy link

+1 Same!
image

@erlendtv
Copy link

+1 Same!

@maurerit
Copy link

+1 Same but against docker hub (our network has a firewall in place terminating ssl with it's own ca which is trusted in Trusted Root Certification Authorities store).

@ghost
Copy link

ghost commented Jan 10, 2018

+1 Same. Blocked!

@drwatson1
Copy link

+1
"Push" doesn't work too with the same error. It is critical for me. I have to publish a new version of image to deploy a release to our customers but I can't do this!

@drwatson1
Copy link

I found a workaround. Error disappeared after I added my private registry to "Insecure registries" list on the page "Daemon" of Settings. But registry is not insecure!

@RobPurcellUK
Copy link

And another here, same issue but connecting to docker hub as well as (externally hosted) private repo. We have an SSL intercepting proxy with internal certificates, so I assume the issue is to do with docker picking up the locally trusted cert store.

@wyckster
Copy link

wyckster commented Jan 11, 2018
edited
Loading

I'm seeing this bug too. And it's only the docker-for-windows machines that can't access the registry. Other linux-based docker machines have no problem accessing the secure registry.

@drwatson1 workaround unblocked our release, thanks for that.

More info, in case it helps:

Windows 10 Enterprise 64-bit, x64
Docker version 17.12.0-ce, build c97c6d6

Version 17.12.0-ce-win46 (15048)
Channel: stable
0ac7325

Engine 17.12.0.ce
Machine: 0.13.0
Compose: 1.18.0
Notary: 0.4.3
Credential Helpers: 0.6.0

Kernel Version: 4.9.60-linuxkit-aufs

@tomthetommy
Copy link

Same issue here. Is there any movement with this? The root and intermediate certs are all available within the Windows Cert store, so nothing is broken in that aspect.

@tomthetommy
Copy link

UPDATE: Version 17.12.0-ce-win47 (15139) has been released to fix this issue.

Confirmed the issue is resolved.

@djs55
Copy link

djs55 commented Jan 12, 2018

@tomthetommy thanks for confirming the issue is fixed for you.

@perfry perfry mentioned this issue Jan 12, 2018
Closed
@dylanneild
Copy link

dylanneild commented Jan 15, 2018
edited
Loading

This issue is still occurring for me on 17.12.0-ce-mac47 - docker command line can't verify certificates:

error during connect: Get https://server-name-here:2376/v1.35/containers/json?all=1: x509: certificate is not valid for any names, but wanted to match server-name-here

Any ideas?

@maurerit
Copy link

Confirming that Version 17.12.0-ce-win47 (15139) fixes the issue for me.

@childnode childnode mentioned this issue Mar 9, 2018
Closed
@docker-robott
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

@af6140
Copy link

af6140 commented Dec 17, 2019

I have 17.12.0-ce-win47 but experiencing same issue.

@docker-robott
Copy link
Collaborator

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

@docker docker locked and limited conversation to collaborators Jun 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/locked lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests