Docker SSL Cert for windows

Question

I am trying to publish a docker image to a private repository, but I cannot figure out where I am suppose to place the SSL cert on a Windows machine.

According to this page, the cert is supposed to go in the /etc/docker/certs.d/HOSTNAME directory. This is clearly not a Windows path. However when I run the docker terminal and I type cd /etc it does take me to a working directory.

After some investigation I discovered it was going to C:\Program Files\Git\etc, so I created a docker\certs.d\docker-registry.lan (docker-registry.lan is our internal registry) directory under that path. Then I restart docker machine with the docker-machine stop and docker-machine start commands.

However when I try a push I am getting an error that says

x509: certificate signed by unknown authority

This key works fine for others that are doing this through Linux so I know the key is fine. I believe the problem is that I am not storing the key in the correct location.

I have tried a bunch of different locations for the key, but none seem to work. This has to be an easy fix that I am missing. Can someone who has solved this help me?

Answer 1

On (Docker EE) Docker Enterprise Edition for Windows Server it works with: "Martin Eden" instructions from:

https://github.com/moby/moby/issues/21189

• Start > "Manage Computer Certificates" (also available in the control panel)
• Right-click on "Trusted Root Certification Authoritites" > "All tasks" > "Import"
• Browse to the crt file and then keep pressing "Next" to complete the wizard
• Restart Docker EE

Answer 2

Configure the Docker Client on Windows

To pass the registry's CA certificate to a Docker client that is running on Windows 10, use the Windows Certificate Import Wizard.

Copy the ca.crt file to the Windows 10 machine on which you run the Docker client.
Right-click the ca.crt file and select Install Certificate.
Follow the prompts of the wizard to install the certificate.
Restart the Docker daemon:
    Click the up arrow in the task bar to show running tasks.
    Right-click the Docker icon and select Settings.
    Select Reset and click Restart Docker.
Log in to the registry server.

docker login registry_ip

Answer 3

Things have changed and there is no need to put cert files or worry about port numbers anywhere on Windows 10. (As of 7/21/2019)

On Docker Community 2.0.0.3 (31259) simply add the public cert of your docker repo to the "Trusted Root Authorities Store" on the local machine. You can double click on your certificate and it will start the process of asking you where you'd like to put it. (It may work for current user store as well, didn't check).

Once you add the cert to the store, restart the Docker service and you can then push/pull from your private repo.

The docker VM underneath gets all the trusted root authorities from Windows during startup and manages that for you.

Answer 4

If you're running Docker daemon natively on Windows, the correct location is C:\ProgramData\docker\certs.d\myregistrydomain.com5000\ca.crt. Details here: https://github.com/docker/docker/issues/21189#issuecomment-234997515

Answer 5

@warmoverflow

Hi, as your reply Docker can registry certs automatically.

but according to "README.md" from boot2docker you can use not .crt but .pem files.

(in .pem format) into the /var/lib/boot2docker/certs/ directory, and Boot2Docker will automatically load it from the persistence partition at boot.

just rename .crt file to .pem file.

https://github.com/boot2docker/boot2docker/pull/807.

Answer 6

The solution is

1. Switch to the local folder where ca.crt is in
2. Copy the file to the vm: docker-machine scp ca.crt default:.
3. Login to the vm: docker-machine ssh default
4. Create the required folder: sudo mkdir /var/lib/boot2docker/certs
5. Copy the cert to the location: sudo cp ca.crt /var/lib/boot2docker/certs
6. Exit the vm: exit
7. Restart the vm: docker-machine restart default

Answer based on https://github.com/docker/machine/issues/1717 and https://github.com/boot2docker/boot2docker/issues/347