Doing a docker-machine ls
a got the unexpected Unable to query docker version: Get https://xxxx:2376/v1.15/version: x509: certificate has expired or is not yet valid
for every machine.
I hadn't done anything recently. Looking on SO, I tried some common culprits, VPN, virus, weird clock issues, etc. None of that applied. How can I fix make them useable again (via the docker-machine
interface)?
Using Docker for Mac, 17.12.0-ce-49
Update - as I commented on 2/14/2018, this is now part of docker-machine.
Try: docker-machine regenerate-certs --client-certs
Historical answer below:
First, docker-machine regenerate-certs
does NOT regenerate the client certificate(s).
After poking around with openssl
I discovered that it was actually the client certificate that had expired. Verify:
openssl x509 -in ~/.docker/machine/certs/cert.pem -text | grep "Not After"
I tried recreating the certs in situ with the same ca.pem
but it didn't work out (for me). I'm guessing it would have eventually worked, given a lot more time and trial and error.
What eventually worked was backing up the whole dir, creating a dummy throwaway machine (to force docker-machine to create new certs), moving configs, ssh keys, and server certificates ( not client certificates), then issuing a regenerate for each machine. NB, it's disruptive and painful. As the warning shows, docker-machine regenerate-certs
will restart docker on the target machine. Though it's too late for me, I would like to see a better answer.
The process looks something like:
#!/bin/bash
cd ~/.docker || exit
cp -R machine machine.bak
rm -rf machine
docker-machine create deleteme
docker-machine rm -rf deleteme
cd machine/machines || exit
for m in $(~/.docker/machine.bak/machines)
do
cp -R "../../machine.bak/machines/$m" .
rm "$m/cert.pem"
rm "$m/key.pem"
cp certs/cert.pem "$m"
cp certs/key.pem "$m"
docker-machine regenerate-certs -f
done
Try:
docker-machine regenerate-certs --client-certs <machine name>
The --client-certs
is important.
Note:
The validity can be inspected by running:
openssl x509 -in ~/.docker/machine/certs/cert.pem -text -noout | less
The result is something like:
Certificate:
Data:
...
Signature Algorithm: sha256WithRSAEncryption
...
Validity
Not Before: Mar 12 09:03:00 2018 GMT
Not After : Feb 24 09:03:00 2021 GMT
...
I wasn't able to solve my problem with the above solutions. So I just removed my machines and the corresponding folder with the certs and I was able to correctly create my machine:
docker-machine rm -y $(docker-machine ls -q)
rm -rf ~/.docker/machine
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.