如何在Windows上忽略Boot2Docker中的证书错误

Question

I have boot2docker 1.4.1 running on windows via virtualbox. I am behind a proxy that MITMs https certificates. I configured proxy by adding the following lines in /var/lib/boot2docker/profile :

export HTTP_PROXY=<proxyhost>:80
export HTTPS_PROXY=<proxyhost>:80
DOCKER_TLS=no
EXTRA_ARGS="--insecure-registry index.docker.io"

however when I run docker@boot2docker:~$ docker run hello-world I get

Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0006] Get https://index.docker.io/v1/repositories/library/hello-world/images
: x509: certificate signed by unknown authority

Please help me figure out the correct way to ignore certificate errors. Thanks!

Answer 1

Edit Looks like the new docker only works on certain flavors of Windows 10 . If you are still stuck on Windows 7, I have updated the below to reflect the steps I had to go through to correct the 'self signed certificate in certificate chain' error when I installed the latest version of docker-toolbox ( Docker 1.11.2 ).

---

Finally got this working on Windows 7 following the answers here: https://github.com/boot2docker/boot2docker/issues/347

Check that this is your issue by running openssl s_client -showcerts :

docker@boot2docker:~$ openssl s_client -showcerts -CApath . -connect index.docker.io:443

(Edit: removed 32 from -showcerts and corrected host name)

In the certificate chain, you'll see the proxy has inserted itself and the verify returns an error something like this

Verify return code: 19 (self signed certificate in certificate chain)

If you have the same problem then give the steps below a try :

1. First, save the certificate you need. Here are the steps to use in Firefox similar to https://stackoverflow.com/a/6966818/1981358 (Chrome and IE should also work using the Certificate Export Wizard; Note: on Windows, the PEM certificate encoding is called Base-64 encoded X.509 (.CER)):
   • In Firefox, go to https://hub.docker.com/
   • Click on the lock icon on the address bar to display the certificate
   • Click through "More Information" -> "Security" -> "View Certificate" --> "Details"
   • Select each node in the hierarchy beginning with the uppermost one, and click on "Export" and "Save" (select the X.509 Certificate (PEM) format)
   • Save the above files somewhere in your local drive, change the extension to .pem and move them to your user folder (or any other location accessible from ssh)
2. Create a folder to hold the cert(s): docker@boot2docker:~$ sudo mkdir /var/lib/boot2docker/certs/
3. Copy the cert files(s) to that location: docker@boot2docker:~$ sudo cp /c/Users/<username>/<folder>/<proxy-cert>.pem /var/lib/boot2docker/certs/
4. Create the file /var/lib/boot2docker/bootlocal.sh and include the source from https://gist.github.com/irgeek/afb2e05775fff532f960 (I just created the file in Windows using Notepad++ and copied it to the correct location similar to the above step)
5. Exit ssh and restart: C:\\>docker-machine restart
6. Open the shell docker-machine ssh and verify the changes worked: docker run hello-world

You should see output which contains something like:

Hello from Docker.
This message shows that your installation appears to be working correctly.

Answer 2

If you have Docker for Windows on Windows 10 , and you're getting the "x509: certificate signed by unknown authority" error, you can try this:

1. Run Docker for Windows.
2. After some time, you'll see the docker icon in the Windows notification area (bottom right)
3. Right-click the icon and select "Settings..."
4. The settings window will open. Select "Docker Daemon" on the left.
5. Add your private registry to the "insecure-registries" collection in the textbox that shows the configuration in JSON format. Then click "Apply".