Cannot check for Updates when behind MITM SSL Proxy

[jsok]

Expected behavior

I click the "Check for Updates..." button and get an "Install and Relaunch" window.

Actual behavior

Information

"Diagnose & Feedback" fails to upload (potentially for the same reason the update checking fails).

Steps to reproduce the behavior

When behind a Proxied internet connection, attempt to check for updates.

[ebriney]

Hi, updates and diagnoses are using standard https request and are done on host side in user mode so there must be something blocking the app in your internet settings (firewall, proxy, vpn/dns).
I don't think we can do anything, perhaps adding a no proxy rule on https://download.docker.com can solve your problem.

[rogaha]

@jsok is it still an issue?

[jsok]

Yes still an issue.

I can access the download URL:

> curl -I https://download.docker.com
HTTP/1.1 200 Connection established
Connection: close

HTTP/1.1 403 Forbidden
Content-Type: application/xml
x-amz-bucket-region: us-east-1
Date: Sun, 11 Dec 2016 22:19:30 GMT
Server: AmazonS3
X-Cache: Error from cloudfront
Via: 1.1 1fe5a3dd696b067d230fbe4cb4093583.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 9OGr9eUPS3XMEGVWN46p2iYfP0IaeaiiZChqmT8Up08wEvzLx-N5jg==
Proxy-Connection: Keep-Alive
Connection: Keep-Alive

Another factor is a corp MITM SSL setup, however the CA is in my Keychain and trusted (and Docker for Mac recently acquired the ability to honour it).
Potentially the download URL is failing due to an SSL issue?

[davidebelloni]

Hi,
I've the same behavior and it seems to be related to macOS Sierra version, where Proxy PAC configuration has issues.

Here the logs:
default 11:22:53.768722 +0100 Docker UNIX error exception: 17
default 11:22:53.768869 +0100 Docker 0x608000871a00 opened /private/var/db/mds/system/mdsDirectory.db: 50744 bytes
default 11:22:53.768968 +0100 Docker 0x608000871a00 closed /private/var/db/mds/system/mdsDirectory.db
default 11:22:53.769246 +0100 Docker UNIX error exception: 17
default 11:22:53.769408 +0100 Docker 0x608000a64b00 opened /Users/davidebelloni/Library/Keychains/login.keychain-db: 1491840 bytes
default 11:22:53.770135 +0100 Docker 0x608000a64b00 closed /Users/davidebelloni/Library/Keychains/login.keychain-db
default 11:22:53.772182 +0100 Docker loading /Users/davidebelloni/Library/Keychains/login.keychain-db
default 11:22:53.776222 +0100 Docker 0x60800087c5c0 opened /Library/Keychains/System.keychain: 36904 bytes
default 11:22:53.776611 +0100 Docker 0x60800087c5c0 closed /Library/Keychains/System.keychain
default 11:22:53.778658 +0100 Docker loading /Library/Keychains/System.keychain
default 11:22:53.782179 +0100 Docker TIC TCP Conn Start [14:0x6080003830c0]
default 11:22:53.783473 +0100 Docker PAC for url is expired, evicting
default 11:22:53.783667 +0100 Docker PAC fetch start for
error 11:22:53.784522 +0100 Docker NSURLSessionTask finished with error - code: -1022
default 11:22:53.784937 +0100 Docker PAC fetch end for . data 0x0 response 0x0 error 0x600000250560
error 11:22:53.785352 +0100 Docker PAC Fetch failed with error [NSURLErrorDomain:-1022]
error 11:22:53.785566 +0100 Docker nw_proxy_resolver_create_parsed_array PAC evaluation error: NSURLErrorDomain: -1022
default 11:22:53.793999 +0100 Docker TIC TCP Conn Start [15:0x600000182490]
error 11:22:53.794536 +0100 Docker PAC Fetch failed with cached error [NSURLErrorDomain:-1022]
error 11:22:53.794626 +0100 Docker nw_proxy_resolver_create_parsed_array PAC evaluation error: NSURLErrorDomain: -1022
error 11:23:24.058475 +0100 Docker NSURLConnection finished with error - code -1001
default 11:23:24.059740 +0100 Docker TIC TCP Conn Cancel [15:0x600000182490]
error 11:23:24.060703 +0100 Docker HTTP load failed (error code: -999 [1:89])
default 11:23:25.093632 +0100 Docker Sparkle: Error: An error occurred in retrieving update information. Please try again later. The request timed out. (URL https://download.docker.com/mac/stable/appcast.xml)
default 11:23:25.094163 +0100 Docker Sparkle: Error: The request timed out. (null) (URL https://download.docker.com/mac/stable/appcast.xml)
default 11:23:25.095193 +0100 Docker Sparkle: Error: The request timed out. (null) (URL https://download.docker.com/mac/stable/appcast.xml)
error 11:23:53.832378 +0100 Docker NSURLSessionTask finished with error - code: -1001
error 11:23:53.832657 +0100 Docker Analytics: Failed to track event: actionMenuCheckForUpdate. The request timed out.
default 11:23:53.832710 +0100 Docker TIC TCP Conn Cancel [14:0x6080003830c0]
error 11:23:53.833072 +0100 Docker HTTP load failed (error code: -999 [1:89])

Someone knows how can we solve pac problem in Sierra?

Thanks

[neurostream]

...a similar observation related to corporate MITM SSL proxy noted in #2386 .

[alvarow]

Seems #2386 issue was identified and tested working. See the test build to give it a try.

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[jsok]

/remove-lifecycle stale

#2386 is a different problem.

[YRM64]

Ebrinery commented on this issue over a year ago. Sometimes there may be something in the internet settings that is causing the problem ("firewall, proxy, vpn/dns). He suggests creating a proxy rule might help.

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[jsok]

/remove-lifecycle stale

@ebriney @YRM64 yes this is precisely the problem, Docker for Mac doesn't honour either the system proxy settings and/or the Mac OS KeyChain for SSL CA trust.

We had all these same issues (proxy support, import CA's from KeyChain) with dockerd inside Docker for Mac and they got solved. This issue is in regards to getting the same settings honoured when checking for updates.

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[jsok]

/remove-lifecycle stale

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[jsok]

/remove-lifecycle stale

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked