Docker behind proxy that changes ssl certificate
According to http://golang.org/src/pkg/crypto/x509/root_unix.go, you should append your certificate to one of the following:
- /etc/ssl/certs/ca-certificates.crt
- /etc/pki/tls/certs/ca-bundle.crt
- /etc/ssl/ca-bundle.pem
- /etc/ssl/cert.pem
- /usr/local/share/certs/ca-root-nss.crt
Find the one that exists on your system, and append your certificate to it.
(And be ready to do it again when you upgrade the package containing that file...)
I hope there is a better method, but this is the only one I found so far :-)
@jpetazzo's answer is overall correct, however there is a nicer way to do the same thing (without manually editing a ca-bundle file):
on CentOS:
sudo cp yourcert.crt /etc/pki/ca-trust/source/anchors/sudo update-ca-trust extractsudo service docker restart
on Debian:
sudo cp yourcert.crt /usr/local/share/ca-certificates/sudo update-ca-certificatessudo service docker restart
Note that restarting docker daemon is necessary!
To configure docker to work with a proxy system you first need to add the HTTPS_PROXY / HTTP_PROXY environment variable to the docker sysconfig file. However depending on if you use init.d or the services tool you need to add the "export" statement. As a workaround you can simply add both variants in the sysconfig file of docker:
/etc/sysconfig/dockerHTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"export HTTP_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"export HTTPS_PROXY="https://<user>:<password>@<proxy-host>:<proxy-port>"
To get docker working with ssl intercepting proxies you have to add the proxy root certificate to the systems trust store.
For CentOS copy the file to /etc/pki/ca-trust/source/anchors/ and update the ca trust store. Restart the docker service afterwards.If your proxy uses NTLM authentication - it's necessary to use intermediate proxies like cntlm.This blog post explains it in detail