Docker – Add trusted root ca to local docker-machine swarm

As one might want when using a custom Docker registry with a cert signed by a custom root ca.

As finding the answer to this question has proven somewhat complicated, I’ll note my approach here for future reference (excerpt):

Basically, copy pem (Base64 encoded) versions of your CA trust chain into /var/lib/boot2docker/certs/. You can’t use ca bundles. The boot2docker boot script will automatically pick up pem files there and add them to the ssl config. Also, this is a special directory and will be preserved across restarts.

$ docker-machine ssh default 'sudo mkdir /var/lib/boot2docker/certs'
$ docker-machine scp corp-ca.pem default:
$ docker-machine ssh default 'sudo mv corp-ca.pem /var/lib/boot2docker/certs/'
$ docker-machine restart default


Sidenote: Replace “default” in the above Shell-Command example with the machine name you are using Docker on. In a local swarm setting (as I have it here) you need to do that for every single machine if you want the root ca to be trusted on each one. This should be easier but I have not found an easier solution yet. I will update this if I do. At least copying the root-ca cert into the boot2docker location persists for future restarts even tough the rest of boot2docker is immutable.

Sidenote 2: If you don’t want to copy the ca to all machines, simply copy it to your swarm manager(s) only. Then deploy your swarm stack with –with-registry-auth from the swarm manager! It will use the registry login and the trust of the swam manager you’re interacting with!

$ docker stack deploy --compose-file=my-stack.docker-compose.yml --with-registry-auth my-stack-name


Source: docker-machine: Recommended way to install CA certificate on local VM docker machine #1799 – Comment by rpomeroy on 13 Jan 2017