compose: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate when using docker compose with DOCKER_HOST

Context information (for bug reports)

Output of docker-compose version

docker-compose version 1.26.2, build eefe0d31
docker-py version: 4.2.2
CPython version: 3.7.7
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

Output of docker version

Client:
 Version:           19.03.6
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        369ce74a3c
 Built:             Fri Feb 28 23:45:43 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.6
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       369ce74a3c
  Built:            Wed Feb 19 01:06:16 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.3-0ubuntu1~18.04.2
  GitCommit:
 runc:
  Version:          spec: 1.0.1-dev
  GitCommit:
 docker-init:
  Version:          0.18.0
  GitCommit:

Output of docker-compose config (Make sure to add the relevant -f and other flags)

does not matter

Steps to reproduce the issue

I want to use docker-compose with DOCKER_HOST setting and custom self signed certificates to deploy to another host
I copied ca.pem cert.pem key.pem generated on my server to ~/.docker
did export DOCKER_HOST=tcp://my.host:2376 DOCKER_TLS_VERIFY=1
did docker ps and it works perfectly:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Observed result

Then, executing

docker-compose ps
ERROR: SSL error: HTTPSConnectionPool(host='my.host', port=2376): Max retries exceeded with url: /v1.30/volumes/deploy_v-db-data (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)')))

Expected result

docker-compose ps works without an error and using same Environment variables

Additional information

Checked another env variables which might prevent requests used in dockercompose to work wrong like echo $REQUESTS_CA_BUNDLE, they are empty.

How to debug it? Thanks

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 20

Most upvoted comments

I had the same error (running against qnap nas, which gave me the cert bundle to install in ~/.docker) and the following fixed it for me. I run a debian unstable on my laptop and just updated docker-compose with pip.

Does it work if you execute CURL_CA_BUNDLE=‘’ docker-compose ps?

jankatins on Oct 25, 2020

BTW we fixed our issue and even created a script which generates TLS certificates , without docker machine.

Basically you can execute it on server:

curl -s -L https://raw.githubusercontent.com/devforth/docker-tls-generator/main/generate-tls.sh | bash

And then deliver content of the machine from which you want to connect to Docker

cat ~/.docker/ca.pem
cat ~/.docker/key.pem
cat ~/.docker/cert.pem

💡 make sure that you run the script on each new server because it uses public IP address of server as Host in certificate (script does curl ifconfig.me)

💡 Tested on Ubuntu 20.04, works out of the box

We are using it to deploy from our CI server, here is detailed guide:

https://hinty.io/vverenko/deploy-docker-compose-using-woodpecker-ci/

So I think the issue is resolved and could be closed

ivictbor on Apr 25, 2022

Maybe it’s an openssl issue? I could fix it by downgrading openssl from 1.1.1h to 1.1.1g

# docker-compose version
docker-compose version 1.27.4, build unknown
docker-py version: 4.3.1
CPython version: 3.8.5
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020

ckotte on Oct 4, 2020

Does it work if you execute CURL_CA_BUNDLE='' docker-compose ps?

ckotte on Oct 1, 2020