'Where to add client certificates for Docker for Mac?
I have a docker registry that I'm accessing behind an nginx proxy that does authentication using client-side ssl certificates.
When I attempt to push to this registry, I need the docker daemon to send the client certificate to nginx.
According to: https://docs.docker.com/engine/security/certificates/
There should be a directory called /etc/docker where these certificates can go. This directory doesn't exist on Docker for Mac.
So I thought I'd try putting the certificates inside the virtual machine itself by doing:
docker-machine ssh default
This resulted in docker complaining: Error response from daemon: crypto/tls: private key does not match public key
I don't believe there is anything wrong with my key pair, and I've done this same setup on linux (much easier) without problems.
Solution 1:[1]
4 yrs later Google still brought me here.
I found the answer in the official docs: https://docs.docker.com/desktop/mac/#add-client-certificates
Citing from source:
You can put your client certificates in
~/.docker/certs.d/<MyRegistry>:<Port>/client.certand~/.docker/certs.d/<MyRegistry>:<Port>/client.key.When the Docker for Mac application starts up, it copies the
~/.docker/certs.dfolder on your Mac to the/etc/docker/certs.ddirectory on Moby (the Docker for Macxhyvevirtual machine).
- You need to restart Docker for Mac after making any changes to the keychain or to the
~/.docker/certs.ddirectory in order for the
changes to take effect.- The registry cannot be listed as an insecure registry (see Docker Engine). Docker for Mac will ignore certificates listed under
insecure registries, and will not send client certificates. Commands
like docker run that attempt to pull from the registry will produce
error messages on the command line, as well as on the registry.
Solution 2:[2]
Self-signed TLS CA can be installed like this, your certs might reside in the same directory.
sudo mkdir -p /Applications/Docker.app/Contents/Resources/etc/ssl/certs
sudo cp my_ca.pem /Applications/Docker.app/Contents/Resources/etc/ssl/certs/ca-certificates.crt
Solution 3:[3]
https://docs.docker.com/desktop/mac/#add-tls-certificates works for me and here is short description of how to for users who use
- Docker Desktop
- Mac os system
- add cert into mac os chain
# Add the cert for all users
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
# Add the cert for yourself
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ca.crt
- restart Docker Desktop
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | bbaassssiiee |
| Solution 3 | xiaojueguan |