cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

With TLS CLI always asks for CA-cert even without --tlsverify

Open akloeber opened this issue 5 years ago • 4 comments

I have set up TLS for docker daemon that uses a certificate provided by Let's Encrypt and managed with certbot. Everything looks fine as accessing the API via curl is successfull:

curl --cert client.crt --key client.key https://docker:2376/images/json

Unfortunately I'm not able to communicate with the daemon via Docker CLI:

docker -H tcp://docker:2376 --tls --tlscert=client.crt --tlskey=client.key image ls
unable to resolve docker endpoint: open ~/.docker/ca.pem: no such file or directory

According to the documentation at https://docs.docker.com/engine/security/https/ with --tls it should "authenticate server based on public/default CA pool". Using --tslverify without --tlscacert has the same effect.

I would expect the following behavior:

  • with --tls: no server verification at all (insecure)
  • with --tslverify: server verification with the default trust configuration of the underlying OS
  • with --tslverify + tlscacert: server verification against the given CA

I reproduced this with Docker version 19.03.8 an Mac OS, as well as Docker version 19.03.5 on Ubuntu 16.04.3 LTS.

 docker version
Client: Docker Engine - Community
 Version:           19.03.8
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        afacb8b
 Built:             Wed Mar 11 01:21:11 2020
 OS/Arch:           darwin/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.8
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       afacb8b
  Built:            Wed Mar 11 01:29:16 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

akloeber avatar Apr 27 '20 06:04 akloeber

I'm assuming I have the same problem here with docker 19.03.11 The command docker --tls -H 192.168.2.37:2376 ps fails with

unable to resolve docker endpoint: open /root/.docker/ca.pem: no such file or directory

This problem does not occur with docker 18.09.1 on another machine. No docker environment variables are set (checked with env | grep DOCKER) Has the default behavior changed? --tlsverify=false or something does not seem to help.

ploebb avatar Jun 18 '20 16:06 ploebb

I hate to write 'bump' comments, but one year is passed, any official comments about this issue? I'm using Docker 20.10.6 exactly same issue.

My docker server using certificate signed by my internal CA certificate which is added into system trust store. curl is connecting to docker API without any issues but docker client wont use system CA pool as described in docs.

Client modes

  • tls: Authenticate server based on public/default CA pool

Explicitly pointing --tlscacert to system CA bundle can be used as workaround, but that is not very convenient solution. Debian

docker --tls --tlscacert=/etc/ssl/certs/ca-certificates.crt -H 127.0.0.1:2376 ps

CentOS

docker --tls  --tlscacert=/etc/pki/tls/certs/ca-bundle.crt -H 127.0.0.1:2376 ps

hatifnatt avatar Apr 20 '21 14:04 hatifnatt

Why was this flagged as a feature request? It's a bug! It's still there, and affects me today.. including with buildx version 0.19.1, when I'm trying to use buildx to connect to an external builder

puckettgw avatar Dec 05 '24 18:12 puckettgw

I'd also like to chime in here; this is a bug, it's a pain, and it makes me consider disabling TLS altogether, which would be a net negative for security. That cannot be the right answer.

Radiergummi avatar Apr 25 '25 11:04 Radiergummi