colima: How to add trust unknown ssl authority or manually download and use iso

Is it possible to skip ssl check? We are using antivirus with MITM ssl certificate.

colima start --cpu 6 --memory 8 --disk 60 | more
INFO[0000] starting colima                              
INFO[0000] starting ...                                  context=vm
time="2022-01-18T13:17:29+01:00" level=info msg="Using the existing instance \"colima\""
time="2022-01-18T13:17:29+01:00" level=info msg="Attempting to download the image from \"https://github.com/abiosoft/alpine-lima/releases/download/colima-v0.3.2/alpine-lima-clm-3.14.3-x86_64.iso\"" digest="sha512:875482176ff2f43bf9472f84137d8b9a56d692ae19243436079c7f2f78cb6b13576601eef9102aaea796629215fc60308e69b590c81fe4139e9e84f1ec4a57f5"
time="2022-01-18T13:17:29+01:00" level=fatal msg="failed to download the image, attempted 2 candidates, errors=[unsupported arch: \"aarch64\" failed to download \"https://github.com/abiosoft/alpine-lima/releases/download/colima-v0.3.2/alpine-lima-clm-3.14.3-x86_64.iso\": Get \"https://objects.githubusercontent.com/github-production-release-asset-2e65be/422815134/912100a2-63cc-4bb2-ac99-e0940a5af5f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220118%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220118T121636Z&X-Amz-Expires=300&X-Amz-Signature=3d7b0a81026ed973ff0a64b8d9141f6104dcc775c35d2300dffc4c1283379e6d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=422815134&response-content-disposition=attachment%3B%20filename%3Dalpine-lima-clm-3.14.3-x86_64.iso&response-content-type=application%2Foctet-stream\": x509: certificate signed by unknown authority]"
FATA[0000] error starting vm: error at 'starting': exit status 1

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 38 (10 by maintainers)

Commits related to this issue

fixes #131: expose docker certs to vm — committed to abiosoft/colima by abiosoft 2 years ago
Fixes #131: expose docker certs to the VM — committed to abiosoft/colima by abiosoft 2 years ago
fixes #131: expose docker certs to vm — committed to abiosoft/colima by abiosoft 2 years ago
Fixes #131: expose docker certs to the VM — committed to abiosoft/colima by abiosoft 2 years ago
Prepare for v0.3.3 (#174) * core: add configurable dns * core: update nerdctl to 0.16.1 * fixes #131: expose docker certs to vm * core: copy registry certs for all runtimes * containerd: ... — committed to abiosoft/colima by abiosoft 2 years ago

Most upvoted comments

For those on Mac, I figured out the process. You’ve to just manually update the default template file by running colima template and then edit the docker: {} to

docker:
  insecure-registries:
    - myregistry.com:5000
    - host.docker.internal:5000
    - etc....

+11

TG-KK on Jul 27, 2022

I would copy the certificate to /usr/local/share/ca-certificates and then run /usr/sbin/update-ca-certificates, followed by rc-service docker restart (based on my knowledge of the Alpine image; not sure if colima needs something in addition).

jandubois on Jan 24, 2022

– bump

How can I add my corp cert into the VM so that it can pull down images?

kkasberg on Jan 23, 2022

on a similar issue, i had been encountering issues with my new proxy. To fix it, i did the following:

have colima running 
run in a terminal:
limactl shell colima
sudo vi /etc/ssl/certs/ca-certificates.crt
append the <proxy> pem certificate to the end of the file 	
save it 
exit shell
restart colima

AzyCrw4282 on Jul 7, 2023

it doesn’t seem that colima is respecting host certs, such as /etc/docker/certs.d/*. Using Colima with a private registry gives me this

docker login <private_reg>
...
Error response from daemon: Get "<private_reg>": x509: certificate signed by unknown authority

This is with latest (as of today)

colima version
colima version HEAD-272db47
git commit: 272db4732b90390232ed9bdba955877f46a50552

runtime: docker
arch: x86_64
client: v20.10.12
server: v20.10.11

V3ckt0r on Jan 18, 2022

I had the same issue and was able to resolve it cleanly with a variation of the above for colima.

mkdir -p ~/.docker/certs.d
cp /PATH/TO/YOUR/CORP_OR_AV.cer ~/.docker/certs.d/CORP_OR_AV.crt
 # NOTE: If your CA was provided as a .cer file, be sure to rename it as .crt when copying it over.
colima stop
colima start

DavidEdell on Nov 14, 2023

Hi, I went with the unsecure approach but maybe this pages help:

Self signed: https://docs.docker.com/registry/insecure/#use-self-signed-certificates

Unsecure: https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry

Every change using colima template requires a colima stop, colima start. You can check the status of the colima instance by executing limactl shell colima and then:

colima:/Users/user$ ls /etc/docker/certs.d/
colima:/Users/user$ cat /etc/docker/daemon.json
{
  "exec-opts": [
    "native.cgroupdriver=cgroupfs"
  ],
  "features": {
    "buildkit": true
  },
  "host-gateway-ip": "192.168.5.2",
  "insecure-registries": [
    "https://registry.xxx:443",
    "https://registry.xxx"
  ]
}

sky-philipalmeida on Sep 28, 2023

I am wondering however if I can use cli for configurations overrides, I noticed there is a --env option, but not documented or no examples found

At the moment, it can only be configured via the config file.

abiosoft on Mar 5, 2023