This question already has answers here:
x509: certificate signed by unknown authority - both with docker and with github
(3 answers)
Closed 4 years ago.
i need your help,
My docker don't run on my enterprise, I do not know what to do
kaue default # docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
9bb5a5d4561a: Pulling fs layer
docker: error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/e3/e38bc07ac18ee64e6d59cf2eafcdddf9cec2364dfe129fe0af75f1b0194e0c96/data?verify=1528483070-KGbywXnskgTKu5B9AuTdFPQdYjs%3D: x509: certificate signed by unknown authority.
See 'docker run --help'
.
I have a Windows 7, and Authenticated proxy in my job...
Set the proxy in your environment before running the docker run command...
set HTTPS_PROXY=http://user:password#proxy_name_or_ip:proxy_port
For example
set HTTPS_PROXY=http://myusername:Password1#proxy.local:8080
For docker on windows, follow these steps to configure the proxy variables:
In powershell perform the following for HTTP_PROXY and HTTPS_PROXY:
[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://username:password#proxy:port/", [EnvironmentVariableTarget]::Machine)
Once the variables are set, restart the service with powershell:
Restart-Service docker
Edit: For Linux native installs of Docker using systemd, follow these steps to configure your proxy:
Create a systemd drop-in directory for the docker service:
$ sudo mkdir -p /etc/systemd/system/docker.service.d
Create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Or, if you are behind an HTTPS proxy server, create a file called /etc/systemd/system/docker.service.d/https-proxy.conf that adds the HTTPS_PROXY environment variable:
[Service]
Environment="HTTPS_PROXY=https://proxy.example.com:443/"
If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"
Or, if you are behind an HTTPS proxy server:
[Service]
Environment="HTTPS_PROXY=https://proxy.example.com:443/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"
Flush changes:
$ sudo systemctl daemon-reload
Restart Docker:
$ sudo systemctl restart docker
Verify that the configuration has been loaded:
$ systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
Or, if you are behind an HTTPS proxy server:
$ systemctl show --property=Environment docker
Environment=HTTPS_PROXY=https://proxy.example.com:443/
For special characters in your password, you can use unicode to encode the characters:
If your original password was: F#o:o!B#ar$
The unicode equivalent would be: F%40o%3Ao%21B%23ar%24
Related
Im using centos 7.7 and docker 19.03.
I cannot pull images and getting :
Error response from daemon: Get https://registry-1.docker.io.v2./: dial tcp lookup : server misbehaving
I did what all guides on google suggested:
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Enviroment="HTTP_PROXY=http://myproxy"
systemctl deamon reload
systemctl restart docker
and nothing happends.
if i do echo $http_proxy i see my settings.
more settings:
/etc/enviroment
http_proxy=http://myproxy
https_proxy=https://myproxy
The proxy setting used to work and is working on another server.
On this server i had deleted docker old versions :
docker-1.13.1
docker-common-1.13.1
docker-client-1.13.1
With the older docker it seems to work but with docker-ce it doesnt.
I even rebooted and reinstalled again.
Solved it!
I guess because i am using Centos then doing
systemctl restart docker didnt really work.
Created the directory :
mkdir -p /etc/systemd/system/docker.service.d
Create the file :
nano /etc/systemd/system/docker.service.d/http-proxy.conf
Add the following line:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Restart daemon:
systemctl daemon-reload
And this restart method worked:
service docker restart
and then it accepted all the env vars
Set both variables, and they can both be set to your http server. The variable is for the type of traffic being proxied, not the protocol to the proxy server:
[Service]
Enviroment="HTTP_PROXY=http://myproxy"
Enviroment="HTTPS_PROXY=http://myproxy"
The latest documentation detailing the configuration of Docker to use Proxy server worked for me to build my latest docker image.
For latest docker clients (>= v17.07) create or edit the file ~/.docker/config.json
For older docker clients (<= v17.06) use the --env flag to set the proxy accordingly
Trying to configure a container running outside of GCP to log to Google Cloud Platform (StackDriver). One requirement is that the Docker daemon is able to locate the environment variable GOOGLE_APPLICATION_CREDENTIALS so it can authenticate. One would assume that the following would work, but it doesn't:
GOOGLE_APPLICATION_CREDENTIALS=/usr/local/keys/project-1.json docker run --log-driver=gcplogs ...
That outputs:
ERROR: for api Cannot start service api:
failed to initialize logging driver: google: could not find default credentials.
See https://developers.google.com/accounts/docs/application-default-credentials
for more information.
Haven't found any documentation on how to set that directly on daemon.json, but I don't want that either because I might have different containers logging to different GCP projects.
I've tried this on Mac (docker desktop) and Debian.
This is question that keeps coming back. What is happening here is that environment variable GOOGLE_APPLICATION_CREDENTIALS is loaded by the system docker daemon. System daemons don't see the environment variables set in the user login. What you need to do is set the GOOGLE_APPLICATION_CREDENTIALS at the system level.
Here is how to do that in Ubuntu(Systemd):
$ sudo mkdir -p /etc/systemd/system/docker.service.d
Create /etc/systemd/system/docker.service.d/env.conf with the following content:
[Service]
Environment="GOOGLE_APPLICATION_CREDENTIALS=/path/to/file.json"
Apply the changes.
$ sudo systemctl daemon-reload
Once done restart docker/containerd daemons
$ sudo systemctl restart containerd
$ sudo systemctl restart docker
Test the gcplogs driver
docker run --log-driver=gcplogs --log-opt gcp-project="my-project" hello-world
OS: Centos 7.6.1810
Docker Version: Server Version: 18.09.5
Issue:
My company uses a transparent proxy with an intermediate cert to navigate. I was able to install the cert following doc: https://docs.docker.com/ee/dtr/user/access-dtr/ and these steps:
# Download the DTR CA certificate
sudo curl -k https://<dtr-domain-name>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
sudo update-ca-trust
# Restart the Docker daemon
sudo /bin/systemctl restart docker.service
Curl and Wget are working well, but docker run is not:
bash $ docker run -it cheers
Unable to find image 'cheers:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure.
See 'docker run --help'.
I've tried adding the registry as insecure in daemon.json but it was unsuccessfully.
Has anyone run into the same problem?
I think i figured out what’s going on:
Docker client offers only TLS_ECDHE_* ciphers but .docker.io (behind my corporate proxy) offers only TLS_RSA ciphers.
Without proxy, docker.io offers both types of ciphers.
Now, next challenge: make docker offer TLS_RSA or make my proxy support TLS_ECDHE.
I have no idea how to do either :frowning:
What I want to do:
I have dockerd running on one machine with TLS verify set to true. I would like to add this host as a machine in docker-machine
What I have done:
I used the following command to start dockerd:
$ sudo dockerd -D --tls=true --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
On a second machine I sourced the following variables:
export DOCKER_HOST=tcp://172.19.48.247:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/ssl
and ran docker command succesfully:
$ docker run busybox echo hello
hello
Then I added this host docker-machine:
docker-machine create --driver none --url=tcp://172.19.48.247:2376 dockerhost
Where I am going wrong:
I am getting a x509: certificate signed by unknown authority error now.
$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS Unknown
dockerhost - none Running tcp://172.19.48.247:2376 Unknown Unable to query docker version: Get https://172.19.48.247:2376/v1.15/version: x509: certificate signed by unknown authority
I tried using the docker-machine config but that doesnt work:
$ docker-machine config dockerhost --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
Incorrect Usage.
Usage: docker-machine config [OPTIONS] [arg...]
Print the connection config for machine
Description:
Argument is a machine name.
Options:
--swarm Display the Swarm config instead of the Docker daemon
flag provided but not defined: -tlsverify
By default, the none driver will be configured to use the TLS certs found at ~/.docker/machine. This isn't necessarily what is needed, because you'll run into the error you've run into if your remote Docker host has a certificate signed by something other than the ca.pem that you've got at that location.
I've found a reference to a workaround here that I tested and it definitely seems to work. Here are the steps I followed:
docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker
This creates the following directory:
~/.docker/machine/machines/remotedocker
Inside that directory is a file called config.json. Edit that file, and change every instance of ".docker/machine/certs" to ".docker/machine/machines/remotedocker"
Normally, when you access Docker remotely, it only needs to have access to the ca.pem, cert.pem and key.pem files. As far as I can tell, the other files referenced in config.json will likely not get used by the none driver because regenerate-certs is not implemented by none.
You will need to copy in the ca.pem and key.pem files
At this point, you should be able to run docker-machine config remotedocker, or eval "$(docker-machine env remotedocker)" and use your remote daemon successfully.
I'm trying to download a container image from default registry with the command:
docker run -d --name=nginx -p 80:80 nginx:alpine
The output is:
Unable to find image 'nginx:alpine' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority.
See 'docker run --help'.
I already configured the proxy with cntlm. I'm behind a corporate firewall with Deep Inspection Package (DIP, man in the middle)
Could I define the default registry (https://registry-1.docker.io/v2/) like a insecure registry? How? There are another solution?
I already try the options:
--insecure-registry=registry-1.docker.io:5000
--insecure-registry=registry-1.docker.io
--insecure-registry='*'
--insecure-registry=https://registry-1.docker.io/v2/
Problem resolved.
My SO is mint (based in ubuntu xenial) and docker version 17.06.0-ce
To resolve I needed do put the root certificate from my company's firewall to my linux ca-certificates (reference 1 - https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate). Obs.: Proxy already configured using cntlm (reference 2 - http://cntlm.sourceforge.net/) (reference 3 - https://docs.docker.com/engine/admin/systemd/)
First I exported the certicate installed in my browser, google chrome. From chrome a choose configuration->advanced->privacy and security->manage certificates->trusted root certificate authorities, so I selected the authority, in my case something like mycompany.com. After, I choose export->advance, select X.509 base64 format (*.cer). The correct format is very important. I saved the file ~/certificate.crt.
Create a extra directory:
sudo mkdir /usr/share/ca-certificates/extra
copy the certificate to extra dir:
sudo cp ~/certificate.crt /usr/share/ca-certificates/extra
update ca-certificates config:
sudo dpkg-reconfigure ca-certificates
restart docker:
sudo systemctl daemon-reload
sudo systemctl restart docker
Now docker can download images from default registry.