Unable to use docker due to ZScaler and certificate issues

linux docker certificate photon-os zscaler
DocZerø picture DocZerø · Apr 27, 2017 · Viewed 11.5k times · Source

I have VMware Photon OS running in VMware Player. This will be used as the host OS to run Docker containers.

However, since I'm behind a ZScaler, I'm having issues running commands that access external resources. E.g. docker pull python gives me the following output (I added some line breaks to make it more readable):

error pulling image configuration: 
Get https://dseasb33srnrn.cloudfront.net/registry-v2/docker/registry/v2/blobs/sha256/a0/a0d32d529a0a6728f808050fd2baf9c12e24c852e5b0967ad245c006c3eea2ed/data
?Expires=1493287220
&Signature=gQ60zfNavWYavBzKK12qbqwfOH2ReXMVbWlS39oKNg0xQi-DZM68zPi22xfDl-8W56tQmz5WL5j8L39tjWkLJRNmKHwvwjsxaSNOkPMYQmhppIRD0OuVwfwHr-
1jvnk6mDZM7fCrChLCrF8Ds-2j-dq1XqhiNe5Sn8DYjFTpVWM_
&Key-Pair-Id=APKAJECH5M7VWIS5YZ6Q: 
x509: certificate signed by unknown authority

I have tries to extract the CA root certificates (in PEM format) for ZScaler from my Windows workstation, and have appended them to /etc/pki/tls/certs/ca-bundle.crt. But even after restarting Docker, this didn't solve the issue.

I've read through numerous posts, most referencing the command update-ca-trust which does not exist on my system (even though the ca-certificates package is installed).

I have no idea how to go forward. AFAIK, there are two options. Either:

  • Add the ZScaler certificates so SSL connections are trusted.
  • Allow insecure connections to the Docker hub (but even then it will probably still complain because the certificate isn't trusted).

The latter works by the way, e.g. executing curl with the -k option allows me to access any https resource.

Answer

ivenxu picture ivenxu · May 17, 2017

The problem is zscaler is acting as MAN-IN-THE-MIDDLE doing the ssl inspecting in your organization (see https://support.zscaler.com/hc/en-us/articles/205059995-How-does-Zscaler-protect-SSL-traffic-).

Since you've tried put the certificate in docker, I guess you've been already familiar with steps described in https://stackoverflow.com/a/36454369/1443505. The answer in this is almost correct for the zscaler scenario. One thing need to note is that because zscaler intercepts the CA tree. We need add all the certificates on the chains.

For now, the certificate chains behind zscaler looks as following

enter image description here

We need to export them all one by one and follow the instructions in https://stackoverflow.com/a/36454369/1443505 for each of them.

Related questions

Docker can't connect to docker daemon

After I update my Docker version to 0.8.0, I get an error message while entering sudo docker version: Client version: 0.8.0 Go version (client): go1.2 Git commit (client): cc3a8c8 2014/02/19 12:54:16 Can't connect to docker daemon. Is 'docker -d' running on this …

Read More
Exploring Docker container's file system

I've noticed with docker that I need to understand what's happening inside a container or what files exist in there. One example is downloading images from the docker index - you don't have a clue what the image contains so …

Read More
Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running?

I have applied every solution available on internet but still I cannot run Docker. I want to use Scrapy Splash on my server. Here is history of commands I ran. docker run -p 8050:8050 scrapinghub/splash sudo docker run -p 8050:8050 scrapinghub/…

Read More