I have been blocked by SSL issues and unable to use docker for quite a while now.
I did some reading and found out some useful info in OpenSSL documentation and on a user blog about docker.
The issue is my company uses its own SSL cert to re-encrypt all SSL traffic after it is filtered in the company internal network.
The Root CA cert is not trusted by all browsers and tools thus needs to be imported to make your life less painful :)
To import a cert on Centos we need to save it under the below path:
/usr/share/pki/ca-trust-source/anchors
The anchors folder should contain certs that are in PEM format.
Once the cert is saved, you need to run the command:
update-ca-trust
This will update the system wide trust store at:
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
This file is linked under:
/etc/ssl/certs
Once this is done.
you need to follow the steps in this wiki:
http://richmegginson.livejournal.com/27936.html
In my case, the steps are:
Each time a docker pull is needed from a certain web host, we need to execute the last part of the steps so that docker can trust the cert.
Thanks for Rich Meggisnson for solving this issue by looking up the docker code.
I did some reading and found out some useful info in OpenSSL documentation and on a user blog about docker.
The issue is my company uses its own SSL cert to re-encrypt all SSL traffic after it is filtered in the company internal network.
The Root CA cert is not trusted by all browsers and tools thus needs to be imported to make your life less painful :)
To import a cert on Centos we need to save it under the below path:
/usr/share/pki/ca-trust-source/anchors
The anchors folder should contain certs that are in PEM format.
Once the cert is saved, you need to run the command:
update-ca-trust
This will update the system wide trust store at:
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
This file is linked under:
/etc/ssl/certs
Once this is done.
you need to follow the steps in this wiki:
http://richmegginson.livejournal.com/27936.html
In my case, the steps are:
cd /etc/docker/certs.d
mkdir dseab33srnrn.cloudfront.net
cd dseab33srnrn.cloudfront.net
ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
systemctl restart dockerEach time a docker pull is needed from a certain web host, we need to execute the last part of the steps so that docker can trust the cert.
Thanks for Rich Meggisnson for solving this issue by looking up the docker code.
No comments:
Post a Comment