Docker SSL Cert for windows

10
votes

I am trying to publish a docker image to a private repository, but I cannot figure out where I am suppose to place the SSL cert on a Windows machine.

According to this page https://docs.docker.com/engine/security/certificates/ the cert is supposed to go in the /etc/docker/certs.d/HOSTNAME directory. This is clearly not a Windows path. However when I run the docker terminal and I type cd /etc it does take me to a working directory.

After some investigation I discovered it was going to C:\Program Files\Git\etc, So I created a docker\certs.d\docker-registry.lan (docker-registry.lan is our internal registry) directory under that path. Then I restart docker machine with a docker-machine stop, docker-machine start commands.

However when I try a push I am getting an error that says x509: certificate signed by unknown authority

This key works fine for others that are doing this through linux so I know the key is fine. I believe the problem is that I am not storing the key in the correct location.

I have tried a bunch of different loactions for the key, but none seems to work. This has to be an easy fix that I am missing. Can someone who has solved this help me?

Thanks

5
windowsdocker
The path refers to a path on the Docker Machine named default, which is actually a VirtualBox vm. You can use docker-machine scp local_certs_path default:/etc/docker/certs.d/HOSTNAME to copy the certs to that machine.Xiongbing Jin
@warmoverflow Thanks, that makes a lot of sense. However when I try $ docker-machine scp /c/ca.crt default:/etc/docker/certs.d/docker-registry.lan I get the following error Error loading host: Error loading host: Host does not exist: "C"ryanmc
Unfortunately I cannot test at the moment. Can you try //c/ca.crt?Xiongbing Jin
//c/ca.crt: No such file or directory I noticed that when I run docker-machine env it lists DOCKER_CERT_PATH="C:\Users\rmclaughlin\.docker\machine\machines\default is this that path I need?ryanmc

5 Answers

7
votes

If you're running Docker daemon natively on Windows, the correct location is C:\ProgramData\docker\certs.d\myregistrydomain.com5000\ca.crt. Details here: https://github.com/docker/docker/issues/21189#issuecomment-234997515

6
votes

Things have changed and there is no need to put cert files or worry about port numbers anywhere on Windows 10. (As of 7/21/2019)

On Docker Community 2.0.0.3 (31259) simply add the public cert of your docker repo to the "Trusted Root Authorities Store" on the local machine. You can double click on your certificate and it will start the process of asking you where you'd like to put it. (It may work for current user store as well, didn't check).

Once you add the cert to the store, restart the Docker service and you can then push/pull from your private repo.

The docker VM underneath gets all the trusted root authorities from Windows during startup and manages that for you.

2
votes

The solution is

  1. Switch to the local folder where ca.crt is in
  2. Copy the file to the vm: docker-machine scp ca.crt default:.
  3. Login to the vm: docker-machine ssh default
  4. Create the required folder: sudo mkdir /var/lib/boot2docker/certs
  5. Copy the cert to the location: sudo cp ca.crt /var/lib/boot2docker/certs
  6. Exit the vm: exit
  7. Restart the vm: docker-machine restart default

Answer based on https://github.com/docker/machine/issues/1717 and https://github.com/boot2docker/boot2docker/issues/347

1
votes

Configure the Docker Client on Windows

To pass the registry's CA certificate to a Docker client that is running on Windows 10, use the Windows Certificate Import Wizard.

Copy the ca.crt file to the Windows 10 machine on which you run the Docker client.
Right-click the ca.crt file and select Install Certificate.
Follow the prompts of the wizard to install the certificate.
Restart the Docker daemon:
    Click the up arrow in the task bar to show running tasks.
    Right-click the Docker icon and select Settings.
    Select Reset and click Restart Docker.
Log in to the registry server.

docker login registry_ip
0
votes

@warmoverflow

Hi, as your reply Docker can registry certs automatically.

but according to "README.md" from boot2docker you can use not .crt but .pem files.

(in .pem format) into the /var/lib/boot2docker/certs/ directory, and Boot2Docker will automatically load it from the persistence partition at boot.

just rename .crt file to .pem file.

https://github.com/boot2docker/boot2docker/pull/807.