machine icon indicating copy to clipboard operation
machine copied to clipboard

Published 20 hours ago verified publisher icon docker

`docker-machine regenerate-certs` generates certs in the wrong place

Open chrisfosterelli opened this issue 6 years ago • 11 comments

I use docker toolbox on MacOS. My certificates have been around for about three years and expired, leading to errors accessing my docker daemon's through docker-machine. I saw errors like this when running docker-machine ls:

Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": x509: certificate has expired or is not yet valid

I was able to resolve this error when running docker-machine regenerate-certs --client-certs, but then after running eval $(docker-machine env default)and docker ps I would get a new error:

error during connect: Get https://192.168.99.100:2376/v1.37/containers/json: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "chrisfosterelli")

Looking at the environment variables returned by docker-machine env default:

export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://192.168.99.100:2376"
export DOCKER_CERT_PATH="/Users/chrisfosterelli/.docker/machine/machines/default"
export DOCKER_MACHINE_NAME="default"
# Run this command to configure your shell: 
# eval $(docker-machine env)

I can see that it expects my certificates to be in /Users/chrisfosterelli/.docker/machine/machines/default. In this directory, based on timestamps, I could see that regenerate-certs updated config.json, server-key.pem, and server.pem. However, it did not update ca.pem, cert.pem, or key.pem. When I compare ca.pem with what is on the boot2docker machine at /var/lib/boot2docker/, the ca.pem files do not match.

In /Users/chrisfosterelli/.docker/machine/ I found ca.pem, cert.pem, and key.pem files that had been updated by regenerate-certs. I had to manually copy those files into the /Users/chrisfosterelli/.docker/machine/machines/default directory, and now all works fine again.

I'm not sure if this is a bug, a result of migrating this VM over versions, or maybe just a configuration mistake I made. This took a lot of time to debug so I thought I'd post this here in case 1. it's a bug that can be fixed, or 2. it's useful to anyone who encounters a similar issue.

chrisfosterelli avatar Jul 31 '18 18:07 chrisfosterelli

I had the same problem, and copying the files as described fixed it. Thank you for posting this. Of course, I can't narrow down the cause any more, as I also migrated the VM over versions and could easily have an error in my configuration.

rfgunion avatar Oct 01 '18 17:10 rfgunion

Yep, same same here - thanks for raising this, saved me a lot of time (and hair!)

m-i-sadowski avatar Oct 31 '18 16:10 m-i-sadowski

same problem on Windows 7 with Docker toolbox. Copying files to replace .docker/machine/certs and then restart Quickstart terminal resolve this problem.

maxiwu avatar Apr 30 '19 09:04 maxiwu

Same error here. Except that i tried copying files to /Users/<user>/.docker/machine/machines/default and it is still not working. docker-machine env default prints:

export DOCKER_CERT_PATH="C:\Users\<user>\.docker\machine\machines\default"

EDIT: After running eval $(docker-machine env default) it works, but if i restart bash it does not work anymore.

matej2 avatar Jul 06 '19 13:07 matej2

in newer versions of docker toolbox (in my case on Windows 7, docker toolbox v. v19.03.1) this problem can be fixed using the following command (assuming the reason was an expired ca cert):

$ docker-machine regenerate-certs --client-certs

see also:

https://docs.docker.com/machine/reference/regenerate-certs/

Remigius2011 avatar Aug 08 '19 08:08 Remigius2011

...and a warning:

at least in my case, a docker-machine regenerate-certs default wiped all existing docker containers - even if they are running - and all images. if you want to keep existing containers, you possibly have to resort to ssh into the docker machine (without regenerating certs) and use docker commands from the inside. in any case, backup your docker-machine vms before upgrading toolbox and/or regenerating certs (if they contain anything worth keeping, that is).

Remigius2011 avatar Aug 08 '19 09:08 Remigius2011

Same issue I am facing but copying is not working for me :(

mirr254 avatar May 15 '20 20:05 mirr254

thanks this helped!

itai-codefresh avatar Nov 02 '20 20:11 itai-codefresh

Thanks, @Remigius2011 . Doing the docker-machine regenerate-certs --client-certs solved this for me, and did not remove my existing images (though indeed it does stop running containers).

FWIW, I had this issue on an older machine where I had been running the old Docker toolbox from years go (when it was the only option for Windows Home), and I had in fact wanted to see what images I did have before removing it and replacing it with Docker Desktop. Now I can see them, and I can proceed, so again thanks.

carehart avatar Jul 08 '21 14:07 carehart

docker-machine regenerate-certs --client-certs this wiped all my images and containers on server

lain0 avatar Aug 16 '21 10:08 lain0

@lain0 hm weird, it worked for me

matej2 avatar Aug 16 '21 10:08 matej2