Bug 1400372

Summary: System CA pool excluded when registry CA is used from /etc/docker
Product: Red Hat Enterprise Linux 7 Reporter: Takayoshi Kimura <tkimura>
Component: dockerAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: amurdaca, bbreard, dwalsh, jeder, lsm5, lsu
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: System CA pool excluded when registry CA is used from /etc/docker/certs.d/ Consequence: images pulling fails with "Failed to push image: x509: certificate signed by unknown authority". Fix: make docker read system CA pool using a new feature in go1.7 plus a fix in the docker daemon. Result: image pulling works again reading system CA pool when needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 20:44:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takayoshi Kimura 2016-12-01 02:28:18 UTC 
Description of problem:

TLS is enabled docker-registry in OpenShift. On docker daemon side, put registry CA cert in /etc/docker/certs.d/.

The docker daemon is able to connect to the docker-registry using TLS, but push image layer phase failed with "Failed to push image: x509: certificate signed by unknown authority".

When we move registry CA cert from /etc/docker/certs.d/ to the system truststore, everything worked.

Version-Release number of selected component (if applicable):

docker-1.10.3-57.el7.x86_64

How reproducible:

Only customer env, I couldn't figure out exact condition to to reproduce this issue.

Steps to Reproduce:
1.
2.
3.

Actual results:

Docker push failed with "Failed to push image: x509: certificate signed by unknown authority".

Expected results:

Docker push success

Additional info:

Upstream issue https://github.com/docker/docker/issues/12756
Comment 1 Antonio Murdaca 2016-12-01 07:50:31 UTC 
We could backport https://github.com/docker/docker/pull/27918 to at least 1.12.3 - Dan, should I also try and backport that PR to 1.10.3?
Comment 5 Daniel Walsh 2016-12-01 14:00:52 UTC 
We should be able to build using golang-1.7 for RHEL7.3.2.
Comment 19 errata-xmlrpc 2017-01-17 20:44:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html