1400372 – System CA pool excluded when registry CA is used from /etc/docker

Bug 1400372 - System CA pool excluded when registry CA is used from /etc/docker

Summary: System CA pool excluded when registry CA is used from /etc/docker

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Antonio Murdaca
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-01 02:28 UTC by Takayoshi Kimura
Modified:	2020-01-17 16:16 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: System CA pool excluded when registry CA is used from /etc/docker/certs.d/ Consequence: images pulling fails with "Failed to push image: x509: certificate signed by unknown authority". Fix: make docker read system CA pool using a new feature in go1.7 plus a fix in the docker daemon. Result: image pulling works again reading system CA pool when needed
Clone Of:
Environment:
Last Closed:	2017-01-17 20:44:07 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0116	0	normal	SHIPPED_LIVE	Moderate: docker security, bug fix, and enhancement update	2017-01-18 01:39:43 UTC

Description Takayoshi Kimura 2016-12-01 02:28:18 UTC

Description of problem:

TLS is enabled docker-registry in OpenShift. On docker daemon side, put registry CA cert in /etc/docker/certs.d/.

The docker daemon is able to connect to the docker-registry using TLS, but push image layer phase failed with "Failed to push image: x509: certificate signed by unknown authority".

When we move registry CA cert from /etc/docker/certs.d/ to the system truststore, everything worked.

Version-Release number of selected component (if applicable):

docker-1.10.3-57.el7.x86_64

How reproducible:

Only customer env, I couldn't figure out exact condition to to reproduce this issue.

Steps to Reproduce:
1.
2.
3.

Actual results:

Docker push failed with "Failed to push image: x509: certificate signed by unknown authority".

Expected results:

Docker push success

Additional info:

Upstream issue https://github.com/docker/docker/issues/12756

Comment 1 Antonio Murdaca 2016-12-01 07:50:31 UTC

We could backport https://github.com/docker/docker/pull/27918 to at least 1.12.3 - Dan, should I also try and backport that PR to 1.10.3?

Comment 5 Daniel Walsh 2016-12-01 14:00:52 UTC

We should be able to build using golang-1.7 for RHEL7.3.2.

Comment 19 errata-xmlrpc 2017-01-17 20:44:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html

Note You need to log in before you can comment on or make changes to this bug.