docker TLS证书过期解决办法
今天在很久以前安装过docker的win7机器上调试项目,执行docker-compose up -d报错
ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
google了一轮,花了点时间尝试了各种提及到的方法无果。
几经展转发现Docker Machine证书目录
C:\Users\{yourUserName}\.docker\machine\certs
查看其证书发现已过期一年多。。。
重新生成TLS证书并使用新的证书更新计算机:
$ docker-machine regenerate-certs default
Regenerate TLS machine certs? Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Waiting for SSH to be available...
Detecting the provisioner...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
重新生成客户端证书:
$ docker-machine regenerate-certs --client-certs default
Regenerate TLS machine certs? Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Regenerating local certificates
CA certificate is outdated and needs to be regenerated
Creating CA: C:\Users\{yourUserName}\.docker\machine\certs\ca.pem
Client certificate is outdated and needs to be regenerated
Creating client certificate: C:\Users\{yourUserName}\.docker\machine\certs\cert.pem
Waiting for SSH to be available...
Detecting the provisioner...
Copying certs to the local machine directory...
Copying certs to the remote machine...
Setting Docker configuration on the remote daemon...
Done
估计重新生成一下客户端证书就over了。。。
2026.06.05更新
还有一种情况,能SSH进虚拟机里的docker,但宿主机报以下类拟提示:
administrator@WIN-Q3CE83R01A2 C:\Users\Administrator>docker images
error during connect: Get https://192.168.99.100:2376/v1.40/images/json: x509: certificate has expired or is not yet valid
administrator@WIN-Q3CE83R01A2 C:\Users\Administrator>docker-machine regenerate-certs --client-certs -f default
Regenerating TLS certificates
Regenerating local certificates
Waiting for SSH to be available...
Too many retries waiting for SSH to be available. Last error: Maximum number of retries (60) exceeded
既然 docker-machine 自己送不进去钥匙,你现在能SSH远程连接,你可以手动帮它送进去。
-
在 Windows 宿主机上,用记事本打开
docker-machine的公钥文件,路径通常在:
C:\Users\Administrator\.docker\machine\machines\default\id_rsa.pub
复制里面的全部文本内容(这是一串以ssh-rsa ...开头的长字符串)。 -
在虚拟机内部(通过你目前能连进去的终端):
执行以下命令,把宿主机现在的公钥追加到虚拟机的信任列表里:
echo "刚才复制的ssh-rsa长字符串" >> /home/docker/.ssh/authorized_keys
注意:请把引号里的内容替换为你实际复制的内容。
- 赋予正确权限:
chmod 600 /home/docker/.ssh/authorized_keys
- 见证奇迹:
回到宿主机 CMD,再次执行docker-machine regenerate-certs --client-certs -f default。因为钥匙对上了,这一次连接将瞬间打通!
enjoy it!