How to fix expired client cert in docker-machine

Try:

docker-machine regenerate-certs --client-certs <machine name>

The --client-certs is important.

Note:

The validity can be inspected by running:

openssl x509 -in ~/.docker/machine/certs/cert.pem -text -noout | less

The result is something like:

 Certificate:
     Data:
     ...
     Signature Algorithm: sha256WithRSAEncryption
         ...
         Validity
             Not Before: Mar 12 09:03:00 2018 GMT
             Not After : Feb 24 09:03:00 2021 GMT
     ...

Update - as I commented on 2/14/2018, this is now part of docker-machine.
Try: docker-machine regenerate-certs --client-certs

Historical answer below:

---

First, docker-machine regenerate-certs does NOT regenerate the client certificate(s).

After poking around with openssl I discovered that it was actually the client certificate that had expired. Verify:

openssl x509 -in ~/.docker/machine/certs/cert.pem -text | grep "Not After"

I tried recreating the certs in situ with the same ca.pem but it didn't work out (for me). I'm guessing it would have eventually worked, given a lot more time and trial and error.

What eventually worked was backing up the whole dir, creating a dummy throwaway machine (to force docker-machine to create new certs), moving configs, ssh keys, and server certificates (not client certificates), then issuing a regenerate for each machine. NB, it's disruptive and painful. As the warning shows, docker-machine regenerate-certs will restart docker on the target machine. Though it's too late for me, I would like to see a better answer.

The process looks something like:

#!/bin/bash

cd ~/.docker || exit
cp -R machine machine.bak
rm -rf machine
docker-machine create deleteme
docker-machine rm -rf deleteme
cd machine/machines || exit

for m in $(~/.docker/machine.bak/machines)
do
    cp -R "../../machine.bak/machines/$m" .
    rm "$m/cert.pem"
    rm "$m/key.pem"
    cp certs/cert.pem "$m"
    cp certs/key.pem "$m"
    docker-machine regenerate-certs -f
done