在更改 SSL 证书的代理后,在 Mac 上使用 Docker

huangapple go评论106阅读模式
英文:

Docker on Mac behind proxy that changes ssl certificate

问题

我最终解决下面问题的方法是说服我们的IT人员不要对dockerhub注册表进行中间人攻击。不幸的是,我无法找到其他解决办法。

我在工作中的Mac上遇到了一个问题,即无法成功运行Docker,我的Mac系统版本是10.8.5。似乎是因为公司的证书重写代理阻止了获取镜像:

orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")

(实际上,当我连接到没有这个干扰代理的访客无线网络时,可以绕过这一步。然而,我需要找出如何通过代理使其工作,因为使用访客无线网络作为长期解决方案是不可行的。)

表面上看,我的问题似乎与这个问题中的问题非常相似。然而,那个问题中被接受的答案对我不起作用,因为他们讨论的root_unix.go文件在Mac上不会被调用。(从浏览周围的内容来看,我猜测可能涉及到root_cgo_darwin.go和/或root_darwin.go。)

这并没有告诉我在操作上如何执行相当于安装某种可信证书的工作。我设法获取了一个*.cer文件,我相信这就是我需要的文件,但我不知道该怎么处理它。

我希望有人能指点我正确的方向。

**编辑:**我认为也许我需要做类似于这个页面建议的,添加证书。然而,我按照那些说明尝试失败了:

orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer"
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer

编辑2:我可能离解决问题更近了一步。我应该知道在引号内使用带有波浪符的路径是错误的。如果我使用绝对路径,我可以成功运行上述命令来添加证书。

然而,这并没有解决最终的问题:

FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
英文:

My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.

I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:

orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth") 

(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)

My issue, on the surface, appears to be very much like the one answered in this question. However, the accepted answer in that question does not work for me, since the root_unix.go file they discuss does not get invoked on a Mac. (From browsing around, I would guess that root_cgo_darwin.go and/or root_darwin.go would be involved instead.)

That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a *.cer file that I believe to be the one that I need, but I'm at a loss as to what to do with it.

I'm hoping that someone can point me in the right direction.

Edit: I thought that maybe I needed to to something akin to what this page suggests, to add the certificate. Alas, my attempt at following those instructions failed in the following way:

orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer" 
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer

Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.

Alas, this did not alleviate the ultimate symptom:

FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth") 

答案1

得分: 7

根据boot2docker的README文件:

不安全的注册表

自Docker版本1.3.1起,如果您的注册表不支持HTTPS,您必须将其添加为不安全的注册表。

$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
然后您应该能够执行docker push/pull操作。
英文:

According to the boot2docker README

Insecure Registry

As of Docker version 1.3.1, if your registry doesn&#39;t support HTTPS, you must add it as an insecure registry.

$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo &#39;EXTRA_ARGS=&quot;--insecure-registry &lt;YOUR INSECURE HOST&gt;&quot;&#39; | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.

答案2

得分: 4

http://golang.org/src/crypto/x509/root_darwin.go的源代码显示,使用以下命令来查找证书:

cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")

尝试将.cer文件添加到OSX证书钥匙串中。

英文:

The source of http://golang.org/src/crypto/x509/root_darwin.go shows that the command:

cmd := exec.Command(&quot;/usr/bin/security&quot;, &quot;find-certificate&quot;, &quot;-a&quot;, &quot;-p&quot;, &quot;/System/Library/Keychains/SystemRootCertificates.keychain&quot;)

is used to find the certificate.

Try adding the .cer file into the OSX certificate key-chain.

答案3

得分: 0

如果你使用docker-machine,编辑$USER/.docker/machine/machines/default/config.json文件:

"EngineOptions": {
    "InsecureRegistry": [
        "XXX.XXX.virtual"
    ],
}
英文:

If you use the docker-machine

edit $USER/.docker/machine/machines/default/config.json

&quot;EngineOptions&quot;: {
    &quot;InsecureRegistry&quot;: [
        &quot;XXX.XXX.virtual&quot;
    ],
}

huangapple
  • 本文由 发表于 2014年12月18日 06:39:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/27536180.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定