So…this happened lately:
$ docker ps error during connect: Get https://xx.xx.xx.xx:xxxx/vx.xx/containers/json: x509: certificate has expired or is not yet valid
Browsing to the URL gave me:
This site can’t provide a secure connection xx.xx.xx.xx didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT
journalctl -u docker.service says:
Jun 21 18:34:52 test-010 dockerd[6467]: http: TLS handshake error from 192.168.101.10:55620: remote error: tls: bad certificate Jun 21 18:34:52 test-010 dockerd[6467]: http: TLS handshake error from 192.168.101.10:55621: remote error: tls: bad certificate
I checked if the private key and the certificate match:
# According to https://knowledge.digicert.com/solution/SO5794.html this: root [ /etc/pki/tls ]# openssl rsa -modulus -noout -in private/my.key | openssl md5 (stdin)= 6712...ebe3 # and this: root [ /etc/pki/tls ]# openssl x509 -modulus -noout -in certs/my.crt | openssl md5 (stdin)= 0119...7b80 # should be the same output. # Recognizably they're not. However, I realized that my old certificate gives me: root [ /etc/pki/tls ]# openssl x509 -modulus -noout -in certs/my.old.crt | openssl md5 (stdin)= 0119...7b80 # which is the same as the new certificate...
Sadly, in the end it turned out that the CA cert had to be renewed. Once that was done and replaced on the server as well as on the client in my /Users/worp/.docker/respectiveServerFolder, I was able to connect again.
Further reading
- If you’re interested in securing Docker server and client with a certificate: http://tech.paulcz.net/blog/secure-docker-with-tls/
- Check if Cert was created from key: https://knowledge.digicert.com/solution/SO5794.html