问题
I am trying to run the following docker command:
docker run -i -t ubuntu /bin/bash
But I get the error:
Unable to find image 'ubuntu' (tag: latest) locally
Pulling repository ubuntu
2013/11/28 14:00:24 Get https://index.docker.io/v1/images/ubuntu/ancestry: x509: certificate signed by unknown authority
I know that our company replaces the SSL Certificate on the fly for https requests.
I tried to trust our company's CA certificate by putting it in:
/etc/pki/tls/certs/ca-bundle.crt
and
/etc/pki/tls/cert.pem
But it is still not working.
Any ideas?
回答1:
To configure docker to work with a proxy system you first need to add the HTTPS_PROXY / HTTP_PROXY environment variable to the docker sysconfig file. However depending on if you use init.d or the services tool you need to add the "export" statement. As a workaround you can simply add both variants in the sysconfig file of docker:
/etc/sysconfig/docker
HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
To get docker working with ssl intercepting proxies you have to add the proxy root certificate to the systems trust store.
For CentOS copy the file to /etc/pki/ca-trust/source/anchors/ and update the ca trust store. Restart the docker service afterwards. If your proxy uses NTLM authentication - it's necessary to use intermediate proxies like cntlm. This blog post explains it in detail
回答2:
According to http://golang.org/src/pkg/crypto/x509/root_unix.go, you should append your certificate to one of the following:
- /etc/ssl/certs/ca-certificates.crt
- /etc/pki/tls/certs/ca-bundle.crt
- /etc/ssl/ca-bundle.pem
- /etc/ssl/cert.pem
- /usr/local/share/certs/ca-root-nss.crt
Find the one that exists on your system, and append your certificate to it.
(And be ready to do it again when you upgrade the package containing that file...)
I hope there is a better method, but this is the only one I found so far :-)
回答3:
@jpetazzo's answer is overall correct, however there is a nicer way to do the same thing (without manually editing a ca-bundle file):
on CentOS:
sudo cp yourcert.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extract sudo service docker restarton Debian:
sudo cp yourcert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates sudo service docker restart
Note that restarting docker daemon is necessary!
来源:https://stackoverflow.com/questions/20267339/docker-behind-proxy-that-changes-ssl-certificate