Windows上的Docker(Boot2Docker) - 由未知权限错误签发的证书 [英] Docker on Windows (Boot2Docker) - certificate signed by unknown authority error
问题描述
公司的CA
| __
公司的中级CA
| __
Docker证书
当我尝试运行任何命令,如:
docker运行hello-world
我收到此错误:
获取https://index.docker.io/v1/存储库/库/ hello-world / images:x509:由未知权限签署的证书
我已经找到几个这个问题的答案,但总是适用于Linux环境。如何在Windows中解决这个问题?
这个一般问题一直困扰着我几个月的时间。我第一次注意到,当尝试获取一个本地虚拟机来获取Python包时,所以我已经有一个想法证书是一个问题。我为我的虚拟机解决了这个问题,但直到今天才能为Docker找到解决方案。诀窍是将证书添加到Docker的cert store并使其持久化。这是通过使用每次启动时执行的bootlocal.sh脚本来实现的。
我假设你已经找到了Linux的答案,你已经知道了第一步。我会在这里记录他们是为了彻底的,因为其他人可能没有得到这么远。如果您已经通过以前的尝试已经完成#1和#2,请从下面的#3开始。
-
获取集的企业根证书,应该安装在公司配置的浏览器中。在Chrome中,您可以转到设置,单击显示高级设置,然后向下滚动到HTTPS / SSL,您可以在其中选择管理证书。我的组织把它们放在信任的根管理机构中,并在组织之后命名它们。导出(我有两个),一次一个,确保选择DER格式。
-
将它们保存到已知位置后,您将想将它们转换为PEM格式。我发现这样做最简单的方法是从Docker Quickstart Terminal中运行openssl.exe [1]命令。
openssl x509 -inform der -in certificate.cer -out certificate.pem
-
一旦拥有.pem文件,您将需要将它们复制到Docker机器可访问的位置。我在c:\Users\my.username\certs中创建了一个目录,并将它们复制到那里。
-
此步骤可能不是必须的,但是这是我做的,它的作品。您将要将这些证书复制到您的boot2docker分区中,该分区是持久的。我连接到我的默认机器,这是您需要为步骤5做的。
MINGW64:$ docker-machine ssh default
docker @ default:〜$ sudo -s
root @ default:/ home / docker#mkdir / var / lib / boot2docker / certs
root @ default:/ home / docker#cp /c/Users/my.username/certs/*.pem / var / lib / boot2docker / certs /
-
现在是时候写一个bootlocal.sh脚本,每次系统启动时都会将证书复制到正确的位置。[2]如果还没有,请按照步骤4打开与机器的SSH连接。
touch / var / lib / boot2docker /bootlocal.sh&&& chmod + x /var/lib/boot2docker/bootlocal.sh
vi /var/lib/boot2docker/bootlocal.sh
插入以下内容并保存文件:
#!/ bin / sh
mkdir -p /etc/docker/certs.d&& cp certs / certificate.pem /etc/docker/certs.d
-
重新启动机器,通过使用机器内的reboot命令,或者使用Docker终端的docker-machine命令:
docker-机器重新启动默认
现在你应该能够运行你好世界等。我希望这有助于。
来源
[1] https://serverfault.com/questions/254627/how-to- convert-a-cer-file-in-pem
[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043
I am running Docker on Windows (boot2docker + Oracle Virtual Box). In my corporate environment they modify the certificates so that the CAs are the company's self signed CA's. Thus, the chain ends up like this:
Company's CA
|__
Company's Intermediate CA
|__
Docker Certificate
When I try to run any command, such as:
docker run hello-world
I get this error:
Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority
I have found several answers to this problem but always for Linux environments. How can I workaround this problem in Windows?
This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn't until today been able to work out a solution for Docker. The trick is to add the certificates to Docker's cert store and have them persist. This is accomplished by using a bootlocal.sh script that executes every time the machine starts.
I assume if you've already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you've already done #1 and #2 by way of previous attempts.
Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Cerftification Authorities and named them after the organization. Export each (I have two), one at a time, making sure to choose DER format.
Once you have them saved to a known location, you will want to convert them to PEM format. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.
openssl x509 -inform der -in certificate.cer -out certificate.pem
Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access. I made a directory in c:\Users\my.username\certs and copied them there.
This step may not be strictly necessary, but it's what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.
MINGW64:$ docker-machine ssh default docker@default:~$ sudo -s root@default:/home/docker# mkdir /var/lib/boot2docker/certs root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
Now it's time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven't already, open an SSH connection to the machine, per Step 4.
touch /var/lib/boot2docker/bootlocal.sh && chmod +x /var/lib/boot2docker/bootlocal.sh vi /var/lib/boot2docker/bootlocal.sh
Insert the following and save the file:
#!/bin/sh mkdir -p /etc/docker/certs.d && cp certs/certificate.pem /etc/docker/certs.d
Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:
docker-machine restart default
Now you should be able to run 'hello-world' and others. I hope this helps.
Sources
[1] https://serverfault.com/questions/254627/how-to-convert-a-cer-file-in-pem
[2] https://github.com/boot2docker/boot2docker/issues/347#issuecomment-189112043
这篇关于Windows上的Docker(Boot2Docker) - 由未知权限错误签发的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!