Using Windows Docker behind a SSL MITM firewall

 

Due to the increased frequency of network attacks using SSL encrypted channels, it has become common for organizations to use SSL MITM (man in the middle) content inspection to monitor for malicious network traffic.

An unfortunate side effect of this kind of monitoring is the breakage of software tools that rely on SSL connections.   The docker-machine VM (aka boot2docker) is an example of this.

On networks like these, the following problem occurs after installation of the Windows Docker Toolbox:

cooneyj@POD1629 MINGW64 ~
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
4276590986f6: Retrying in 15 seconds
a3ed95caeb02: Retrying in 15 seconds


To find out what is going on, SSH to the docker-machine and inspect /var/log/docker.log:
time="2016-05-02T21:33:56.949185645Z" level=error msg="Download failed, retrying: x509: certificate signed by unknown authority"

This is happening because the MITM Certificate Authority is not available on the newly installed docker-machine VM. This prevents connections to the Docker Hub when the docker-machine needs to download an image.

Network administrators at most companies will make this CA certificate available upon request.  And recent versions of docker-machine make it easy to import this CA certificate.

1. Make sure your docker machine is running (use Git Bash, which comes bundled with Docker Toolbox):

cooneyj@POD1629 MINGW64 ~
$ cd /c/"Program Files"/"Docker Toolbox"
cooneyj@POD1629 MINGW64 /c/Program Files/Docker Toolbox
$ ./start.sh
...
docker is configured to use the default machine with IP 192.168.99.100
For help getting started, check out the docs at https://docs.docker.com
Start interactive shell
cooneyj@POD1629 MINGW64 ~

2. Upload a copy of the PEM formatted CA Certificate to the docker machine, then SSH to the docker machine. Use ‘docker/tcuser’ as the credentials:


cooneyj@POD1632 MINGW64 ~
$ scp my_SSL_Inspection.pem docker@192.168.99.100:my_SSL_Inspection.pem
docker@192.168.99.100's password:
my_SSL_Inspection.pem 100% 2581 2.5KB/s 00:00
cooneyj@POD1632 MINGW64 ~
$ docker-machine ssh

3. Copy the certificate to the location where the docker-machine imports additional certificates. This directory sometimes needs to be created first.

docker@default:~$ sudo su
root@default:/home/docker# mkdir /var/lib/boot2docker/certs
root@default:/home/docker# cp my_SSL_Inspection.pem /var/lib/boot2docker/certs
root@default:/home/docker# exit
docker@default:~$ exit

4. Restart the docker machine.

cooneyj@POD1629 MINGW64 ~
$ docker-machine restart
Restarting "default"...

5. Run (and install) the Docker Hello World image to verify the docker-machine is working:

cooneyj@POD1629 MINGW64 ~
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
4276590986f6: Pulling fs layer
a3ed95caeb02: Pulling fs layer
...
Status: Downloaded newer image for hello-world:latest
Hello from Docker.
This message shows that your installation appears to be working correctly.

References:

https://github.com/boot2docker/boot2docker/issues/347

It's only fair to share...
Share on FacebookGoogle+Tweet about this on TwitterShare on LinkedIn