Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update note about custom certs with system certs #417

Merged
merged 1 commit into from
Nov 4, 2016
Merged

Update note about custom certs with system certs #417

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions engine/security/certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@ A custom certificate is configured by creating a directory under
`localhost`). All `*.crt` files are added to this directory as CA roots.

> **Note:**
> In the absence of any root certificate authorities, Docker
> will use the system default (i.e., host's root CA set).
> As of docker 1.13, on Linux any root certificates authorities will be merged
> in with the system defaults (i.e., host's root CA set). Prior to 1.13 and on
> Windows, the system default certificates will only be used when there are no
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

asked @dmcgowan and unfortunately, the Go update required for this feature wasn't implemented for Windows

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thaJeztah this is only tangentially related to this change, but I'm wondering if you need to restart the Docker daemon for Docker to load these certificates?
My understanding is that if you were adding certs to the host trusted CA store, you would need to restart the daemon. If you do need to restart, maybe we need to mention it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

golang/go#16736, looks like will be fixed in 1.8

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joaofnfernandes restart is not needed, these certificates are always read at the start of a push or pull operation and not kept around after

> custom root certificates provided.

The presence of one or more `<filename>.key/cert` pairs indicates to Docker
that there are custom certificates required for access to the desired
Expand All @@ -39,7 +41,7 @@ repository.
> order. If there is an authentication error (e.g., 403, 404, 5xx, etc.), Docker
> will continue to try with the next certificate.

The following illustrates a configuration with multiple certs:
The following illustrates a configuration with custom certificates:

```
/etc/docker/certs.d/ <-- Certificate directory
Expand Down