Due to the increased frequency of network attacks using SSL encrypted channels, it has become common for organizations to use SSL MITM (man in the middle) content inspection to monitor for malicious network traffic.

An unfortunate side effect of this kind of monitoring is the breakage of software tools that rely on SSL connections.   The docker-machine VM (aka boot2docker) is an example of this.

On networks like these, the following problem occurs after installation of the Windows Docker Toolbox:

[email protected] MINGW64 ~
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
4276590986f6: Retrying in 15 seconds
a3ed95caeb02: Retrying in 15 seconds

To find out what is going on, SSH to the docker-machine and inspect /var/log/docker.log:
time="2016-05-02T21:33:56.949185645Z" level=error msg="Download failed, retrying: x509: certificate signed by unknown authority"

This is happening because the MITM Certificate Authority is not available on the newly installed docker-machine VM. This prevents connections to the Docker Hub when the docker-machine needs to download an image.

Network administrators at most companies will make this CA certificate available upon request.  And recent versions of docker-machine make it easy to import this CA certificate.

1. Make sure your docker machine is running (use Git Bash, which comes bundled with Docker Toolbox):

[email protected] MINGW64 ~
$ cd /c/"Program Files"/"Docker Toolbox"
[email protected] MINGW64 /c/Program Files/Docker Toolbox
$ ./start.sh
docker is configured to use the default machine with IP
For help getting started, check out the docs at https://docs.docker.com
Start interactive shell
[email protected] MINGW64 ~

2. Upload a copy of the PEM formatted CA Certificate to the docker machine, then SSH to the docker machine. Use ‘docker/tcuser’ as the credentials:

[email protected] MINGW64 ~
$ scp my_SSL_Inspection.pem [email protected]:my_SSL_Inspection.pem
[email protected]'s password:
my_SSL_Inspection.pem 100% 2581 2.5KB/s 00:00
[email protected] MINGW64 ~
$ docker-machine ssh

3. Copy the certificate to the location where the docker-machine imports additional certificates. This directory sometimes needs to be created first.

[email protected]:~$ sudo su
[email protected]:/home/docker# mkdir /var/lib/boot2docker/certs
[email protected]:/home/docker# cp my_SSL_Inspection.pem /var/lib/boot2docker/certs
[email protected]:/home/docker# exit
[email protected]:~$ exit

4. Restart the docker machine.

[email protected] MINGW64 ~
$ docker-machine restart
Restarting "default"...

5. Run (and install) the Docker Hello World image to verify the docker-machine is working:

[email protected] MINGW64 ~
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
4276590986f6: Pulling fs layer
a3ed95caeb02: Pulling fs layer
Status: Downloaded newer image for hello-world:latest
Hello from Docker.
This message shows that your installation appears to be working correctly.