问题
I have boot2docker 1.4.1 running on windows via virtualbox. I am behind a proxy that MITMs https certificates. I configured proxy by adding the following lines in /var/lib/boot2docker/profile:
export HTTP_PROXY=<proxyhost>:80
export HTTPS_PROXY=<proxyhost>:80
DOCKER_TLS=no
EXTRA_ARGS="--insecure-registry index.docker.io"
however when I run docker@boot2docker:~$ docker run hello-world I get
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0006] Get https://index.docker.io/v1/repositories/library/hello-world/images
: x509: certificate signed by unknown authority
Please help me figure out the correct way to ignore certificate errors. Thanks!
回答1:
Edit Looks like the new docker only works on certain flavors of Windows 10. If you are still stuck on Windows 7, I have updated the below to reflect the steps I had to go through to correct the 'self signed certificate in certificate chain' error when I installed the latest version of docker-toolbox (Docker 1.11.2).
Finally got this working on Windows 7 following the answers here: https://github.com/boot2docker/boot2docker/issues/347
Check that this is your issue by running openssl s_client -showcerts:
docker@boot2docker:~$ openssl s_client -showcerts -CApath . -connect index.docker.io:443
(Edit: removed 32 from -showcerts and corrected host name)
In the certificate chain, you'll see the proxy has inserted itself and the verify returns an error something like this
Verify return code: 19 (self signed certificate in certificate chain)
If you have the same problem then give the steps below a try :
- First, save the certificate you need. Here are the steps to use in Firefox similar to https://stackoverflow.com/a/6966818/1981358 (Chrome and IE should also work using the Certificate Export Wizard; Note: on Windows, the PEM certificate encoding is called Base-64 encoded X.509 (.CER)):
- In Firefox, go to https://hub.docker.com/
- Click on the lock icon on the address bar to display the certificate
- Click through "More Information" -> "Security" -> "View Certificate" --> "Details"
- Select each node in the hierarchy beginning with the uppermost one, and click on "Export" and "Save" (select the X.509 Certificate (PEM) format)
- Save the above files somewhere in your local drive, change the extension to .pem and move them to your user folder (or any other location accessible from ssh)
- Create a folder to hold the cert(s):
docker@boot2docker:~$ sudo mkdir /var/lib/boot2docker/certs/ - Copy the cert files(s) to that location:
docker@boot2docker:~$ sudo cp /c/Users/<username>/<folder>/<proxy-cert>.pem /var/lib/boot2docker/certs/ - Create the file
/var/lib/boot2docker/bootlocal.shand include the source from https://gist.github.com/irgeek/afb2e05775fff532f960 (I just created the file in Windows using Notepad++ and copied it to the correct location similar to the above step) - Exit ssh and restart:
C:\>docker-machine restart - Open the shell
docker-machine sshand verify the changes worked:docker run hello-world
You should see output which contains something like:
Hello from Docker.
This message shows that your installation appears to be working correctly.
回答2:
If you have Docker for Windows on Windows 10, and you're getting the "x509: certificate signed by unknown authority" error, you can try this:
- Run Docker for Windows.
- After some time, you'll see the docker icon in the Windows notification area (bottom right)
- Right-click the icon and select "Settings..."
- The settings window will open. Select "Docker Daemon" on the left.
- Add your private registry to the "insecure-registries" collection in the textbox that shows the configuration in JSON format. Then click "Apply".
来源:https://stackoverflow.com/questions/28571070/how-to-ignore-certificate-errors-in-boot2docker-on-windows