docker login fails -> x509: certificate signed by unknown authority .. “crypto/rsa: verification error”

Question

I have created a private docker registry which is fronted by NGINX. NGINX is where the ssl terminates.

I am obfuscating my domain by using my-domain.com for the purpose of this question.

I am using OSX 10.10.3 which has boot2docker installed. But it should be noted that the workflow of Vagrant + CoreOS + Docker shouldn't involve boot2docker since I am having issues within the VM(CoreOS) and not the Host(OSX).

I am using Vagrant to spin up a local CoreOS VM from this box . I then ssh into an instance of that VM and attempt to issue the following command

$ docker login docker.my-domain.com

I am then prompted for my username, password, email as expected; and I supply my details.

Note: I am able to issue the above command in the Host OS (OSX) as expected and able to successfully login (generates the ~/.dockercfg file).

I get the following error:

FATA[0008] Error response from daemon: v1 ping attempt failed with error: Get https://docker.my-domain.com/v1/_ping: 
x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to 
verify candidate authority certificate "*.my-domain.com"). If this private registry supports only HTTP or HTTPS 
with an unknown CA certificate, please add `--insecure-registry docker.my-domain.com` to the daemon's 
arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; 
simply place the CA certificate at /etc/docker/certs.d/docker.my-domain.com/ca.crt

I have copied over my ca.crt from my self signing. I can confirm that CoreOS is able to connect properly to my server over SSL. I ran this command

openssl s_client -CAfile /etc/docker/certs.d/docker.my-domain.com/ca.crt -connect docker.my-domain.com:443

And I get the expected 'Verify return code: 0 (ok)'. This leads me to believe its docker that seems to be having a problem.

$ docker version (from within CoreOS VM)
Client version: 1.6.1-rc2
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 17f157d-dirty
OS/Arch (client): linux/amd64
Server version: 1.6.1-rc2
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 17f157d-dirty
OS/Arch (server): linux/amd64

After all this, I am not sure what I need to try next. Any and all help is appreciated!

Answer 1

This turned out to be a two part issue. The first issue was that when I placed the certificate file(ca.crt) in the relative /etc/ssl/certs/ folder, I didn't rename the original file with the .pem extension. This meant that when I ran the the update-ca-certificates to install my custom certificate on the client machine, it wasn't getting recognized. This was hiding the second and main issue.

I wasn't using the correct certificate file. Once I used the correct certificate file, and I renamed the file to have the .pem extension I ran update-ca-certificates and then issued the login command and it worked.

I assume I mush have installed the correct version of the cert correctly on my host OSX machine, which is why it worked there but not in the VM.

Answer 2

This is mostly useful for other people running into this.. If you are using intermediate certificates, the ca.pem file that docker sees MUST have both the root and the intermediate certificates in it. If you are using client certs, you almost certainly want the full cert chain in your ~/.docker/ca.pem file as well.