Docker on Windows (Boot2Docker) – certificate signed by unknown authority error


I am running Docker on Windows (boot2docker + Oracle Virtual Box). In my corporate environment they modify the certificates so that the CAs are the company’s self signed CA’s. Thus, the chain ends up like this:

Company's CA
        Company's Intermediate CA
               Docker Certificate

When I try to run any command, such as:

docker run hello-world

I get this error:

Get x509: certificate signed by unknown authority

I have found several answers to this problem but always for Linux environments. How can I workaround this problem in Windows?


This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn’t until today been able to work out a solution for Docker. The trick is to add the certificates to Docker’s cert store and have them persist. This is accomplished by using a script that executes every time the machine starts.

I assume if you’ve already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you’ve already done #1 and #2 by way of previous attempts.

  1. Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER format and do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem and skip step #2.

  2. Once you have them saved to a known location, you will want to convert them to PEM format unless you save as such. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.

    openssl x509 -inform der -in certificate.cer -out certificate.pem
  3. Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you’ll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:\Users\<my.username>\certs and copied them there.

  4. This step may not be strictly necessary, but it’s what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.

    MINGW64:$ docker-machine ssh default
    docker@default:~$ sudo -s
    root@default:/home/docker# mkdir /var/lib/boot2docker/certs
    root@default:/home/docker# cp /c/Users/my.username/certs/*.pem /var/lib/boot2docker/certs/
  5. Now it’s time to write a script, which will copy the certificates to the proper location each time the system starts.[2] If you haven’t already, open an SSH connection to the machine, per Step 4.

    touch /var/lib/boot2docker/ && chmod +x /var/lib/boot2docker/
    vi /var/lib/boot2docker/

Insert the following and save the file:


    mkdir -p /etc/docker/certs.d && cp /var/lib/boot2docker/certs/*.pem /etc/docker/certs.d
  1. Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:

    docker-machine restart default

Now you should be able to run ‘hello-world’ and others.




Answered By – Aaron Helton

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published