As one might want when using a custom Docker registry with a cert signed by a custom root ca.
As finding the answer to this question has proven somewhat complicated, I’ll note my approach here for future reference (excerpt):
Basically, copy pem (Base64 encoded) versions of your CA trust chain into /var/lib/boot2docker/certs/. You can’t use ca bundles. The boot2docker boot script will automatically pick up pem files there and add them to the ssl config. Also, this is a special directory and will be preserved across restarts.$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs' $ docker-machine scp corp-ca.pem default: $ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/' $ docker-machine restart default
Sidenote: Replace “default” in the above Shell-Command example with the machine name you are using Docker on. In a local swarm setting (as I have it here) you need to do that for every single machine if you want the root ca to be trusted on each one. This should be easier but I have not found an easier solution yet. I will update this if I do. At least copying the root-ca cert into the boot2docker location persists for future restarts even tough the rest of boot2docker is immutable.
Sidenote 2: If you don’t want to copy the ca to all machines, simply copy it to your swarm manager(s) only. Then deploy your swarm stack with –with-registry-auth from the swarm manager! It will use the registry login and the trust of the swam manager you’re interacting with!
$ docker stack deploy --compose-file=my-stack.docker-compose.yml --with-registry-auth my-stack-name