Where to add client certificates for Docker for Mac?

Question

I have a docker registry that I'm accessing behind an nginx proxy that does authentication using client-side ssl certificates.

When I attempt to push to this registry, I need the docker daemon to send the client certificate to nginx.

According to: https://docs.docker.com/engine/security/certificates/

There should be a directory called /etc/docker where these certificates can go. This directory doesn't exist on Docker for Mac.

So I thought I'd try putting the certificates inside the virtual machine itself by doing:

docker-machine ssh default

This resulted in docker complaining: Error response from daemon: crypto/tls: private key does not match public key

I don't believe there is anything wrong with my key pair, and I've done this same setup on linux (much easier) without problems.

Answer 1

On MacOS here is what I do in order to get my host TLS certificates inside the Docker containers, not the Docker client (e.g., Docker Desktop):

1. Export the root TLS certs from the MacOS keychain to a local folder on the host:

security find-certificate -a -p System/Library/Keychains/SystemRootCertificates.keychain > ~/.local_certs_for_docker/system_roots_certs.pem

2. Use the exported certificate bundle via a Docker volume mapped to /etc/ssl/certs/. Example:

docker run -v ~/.local_certs_for_docker/system_roots_certs.pem:/etc/ssl/certs/ca-certificates.crt ...

Hope it helps!

Answer 2

4 yrs later Google still brought me here.

I found the answer in the official docs: (mac) https://docs.docker.com/desktop/faqs/macfaqs/#add-client-certificates (windows) https://docs.docker.com/desktop/faqs/windowsfaqs/#how-do-i-add-client-certificates

Citing from source:

You can put your client certificates in ~/.docker/certs.d/<MyRegistry>:<Port>/client.cert and ~/.docker/certs.d/<MyRegistry>:<Port>/client.key.

When the Docker for Mac application starts up, it copies the ~/.docker/certs.d folder on your Mac to the /etc/docker/certs.d directory on Moby (the Docker for Mac xhyve virtual machine).

• You need to restart Docker for Mac after making any changes to the keychain or to the ~/.docker/certs.d directory in order for the
  changes to take effect.
• The registry cannot be listed as an insecure registry (see Docker Engine). Docker for Mac will ignore certificates listed under
  insecure registries, and will not send client certificates. Commands
  like docker run that attempt to pull from the registry will produce
  error messages on the command line, as well as on the registry.

Answer 3

This is a current "Oct. 2022" docs in Docker for Mac. (I made it clear to see full url!)

• How do I add TLS certificates?( https://docs.docker.com/desktop/faqs/macfaqs/#how-do-i-add-tls-certificates)

There should be a directory called /etc/docker where these certificates can go. This directory doesn't exist on Docker for Mac.

In my case, I also don't have /etc/docker by default. If you use ~/.docker, the docker desktop will pass alias into /etc/docker.

I don't believe there is anything wrong with my key pair, and I've done this same setup on linux (much easier) without problems.

You can try put your key pairs under ~/.docker/certs.d/Hostname:port, and restart your Docker Desktop for Mac. As a result, I guess you can achieve what you want.

Answer 4

https://docs.docker.com/desktop/mac/#add-tls-certificates works for me and here is short description of how to for users who use

• Docker Desktop
• Mac os system

1. add cert into mac os chain

# Add the cert for all users
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt

# Add the cert for yourself
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ca.crt

2. restart Docker Desktop

Answer 5

Self-signed TLS CA can be installed like this, your certs might reside in the same directory.

sudo mkdir -p /Applications/Docker.app/Contents/Resources/etc/ssl/certs
sudo cp my_ca.pem /Applications/Docker.app/Contents/Resources/etc/ssl/certs/ca-certificates.crt