18

I am trying to publish a docker image to a private repository, but I cannot figure out where I am suppose to place the SSL cert on a Windows machine.

According to this page, the cert is supposed to go in the /etc/docker/certs.d/HOSTNAME directory. This is clearly not a Windows path. However when I run the docker terminal and I type cd /etc it does take me to a working directory.

After some investigation I discovered it was going to C:\Program Files\Git\etc, so I created a docker\certs.d\docker-registry.lan (docker-registry.lan is our internal registry) directory under that path. Then I restart docker machine with the docker-machine stop and docker-machine start commands.

However when I try a push I am getting an error that says

x509: certificate signed by unknown authority

This key works fine for others that are doing this through Linux so I know the key is fine. I believe the problem is that I am not storing the key in the correct location.

I have tried a bunch of different locations for the key, but none seem to work. This has to be an easy fix that I am missing. Can someone who has solved this help me?

Improve this question
4
  • The path refers to a path on the Docker Machine named default, which is actually a VirtualBox vm. You can use docker-machine scp local_certs_path default:/etc/docker/certs.d/HOSTNAME to copy the certs to that machine. Commented Mar 16, 2016 at 16:40
  • 1
    @warmoverflow Thanks, that makes a lot of sense. However when I try $ docker-machine scp /c/ca.crt default:/etc/docker/certs.d/docker-registry.lan I get the following error Error loading host: Error loading host: Host does not exist: "C" Commented Mar 16, 2016 at 16:59
  • Unfortunately I cannot test at the moment. Can you try //c/ca.crt? Commented Mar 16, 2016 at 17:01
  • 1
    //c/ca.crt: No such file or directory I noticed that when I run docker-machine env it lists DOCKER_CERT_PATH="C:\Users\rmclaughlin\.docker\machine\machines\default is this that path I need? Commented Mar 16, 2016 at 17:32

6 Answers 6

Reset to default
14

Things have changed and there is no need to put cert files or worry about port numbers anywhere on Windows 10. (As of 7/21/2019)

On Docker Community 2.0.0.3 (31259) simply add the public cert of your docker repo to the "Trusted Root Authorities Store" on the local machine. You can double click on your certificate and it will start the process of asking you where you'd like to put it. (It may work for current user store as well, didn't check).

Once you add the cert to the store, restart the Docker service and you can then push/pull from your private repo.

The docker VM underneath gets all the trusted root authorities from Windows during startup and manages that for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

9

If you're running Docker daemon natively on Windows, the correct location is C:\ProgramData\docker\certs.d\myregistrydomain.com5000\ca.crt. Details here: https://github.com/docker/docker/issues/21189#issuecomment-234997515

Improve this answer

Comments

4

Configure the Docker Client on Windows

To pass the registry's CA certificate to a Docker client that is running on Windows 10, use the Windows Certificate Import Wizard.

Copy the ca.crt file to the Windows 10 machine on which you run the Docker client. Right-click the ca.crt file and select Install Certificate. Follow the prompts of the wizard to install the certificate. Restart the Docker daemon: Click the up arrow in the task bar to show running tasks. Right-click the Docker icon and select Settings. Select Reset and click Restart Docker. Log in to the registry server. docker login registry_ip
Improve this answer

Comments

2

On (Docker EE) Docker Enterprise Edition for Windows Server it works with: "Martin Eden" instructions from:

https://github.com/moby/moby/issues/21189

  • Start > "Manage Computer Certificates" (also available in the control panel)
  • Right-click on "Trusted Root Certification Authoritites" > "All tasks" > "Import"
  • Browse to the crt file and then keep pressing "Next" to complete the wizard
  • Restart Docker EE
Improve this answer

Comments

0

The solution is

  1. Switch to the local folder where ca.crt is in
  2. Copy the file to the vm: docker-machine scp ca.crt default:.
  3. Login to the vm: docker-machine ssh default
  4. Create the required folder: sudo mkdir /var/lib/boot2docker/certs
  5. Copy the cert to the location: sudo cp ca.crt /var/lib/boot2docker/certs
  6. Exit the vm: exit
  7. Restart the vm: docker-machine restart default

Answer based on https://github.com/docker/machine/issues/1717 and https://github.com/boot2docker/boot2docker/issues/347

Improve this answer

1 Comment

docker-machine has been deprecated in the meantime
0

@warmoverflow

Hi, as your reply Docker can registry certs automatically.

but according to "README.md" from boot2docker you can use not .crt but .pem files.

(in .pem format) into the /var/lib/boot2docker/certs/ directory, and Boot2Docker will automatically load it from the persistence partition at boot.

just rename .crt file to .pem file.

https://github.com/boot2docker/boot2docker/pull/807.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.