Invalid RSA private key when using Docker client with maven dockerfile:build with Docker Data Center 17.06

[blueelephants]

Description

I have created my client bundle in Docker Data Center which consists of these files:

ca.pem
cert.pem
cert.pub
env.cmd
env.ps1
env.sh
key.pem

Where key.pem is an "EC PRIVATE KEY".

When I load client bundle (via source ./env.sh) the environment variables are set correctly:

DOCKER_HOST=tcp://dckdftest01.cloud.mycompany.com:443
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/home/myUsera/ucp/ucp-bundle-myUser-dckdftest01

This means, I can run commands like docker info, docker ps, docker build, etc. without any problems on the remote Docker cluster.

However when I use dockerfile-maven-plugin to build a Docker image on the remote Docker cluster, I get an "Invalid RAS private key" error message.

How to reproduce

1. source ./env.sh
2. change to your Java Maven project with dockerfile pluging configured
   My plugin configuration in Maven is straight-forward:

    		<plugin>
    			<groupId>com.spotify</groupId>
    			<artifactId>dockerfile-maven-plugin</artifactId>
    			<version>1.3.5</version>
    			<configuration>
    				<repository>myRepository:10002/${project.artifactId}</repository>
    				<tag>${project.version}</tag>
    				<buildArgs>
    					<APP_NAME>${project.artifactId}</APP_NAME>
    					<APP_VERSION>${project.version}</APP_VERSION>
    				</buildArgs>
    			</configuration>
    		</plugin>
   

3. mvn dockerfile:build

What do you expect

Docker images should be built on the remote Docker cluster successfully.

What happened instead

I get these error messages from conc. "Invalid RSA private key" (see full-strack trace below):

It somehow cannot find my Docker certificates and/or it seems to be that there is an invalid RSA private key having a version not being 0?

I also read this post and I converted the EC key to a PKCS#8 private key using these commands

mv key.pem key.pem.ec   
openssl pkcs8 -topk8 -nocrypt -in key.pem.ec -out key.pem

But unfortunately, that still doesn't help - I get the very same error messages.

Software:

• docker version:
  Docker Data Center 17.06:

Client:
 Version:      1.13.1-cs1
 API version:  1.26
 Go version:   go1.7.5
 Git commit:   8709b81
 Built:        Thu Feb  9 02:32:02 2017
 OS/Arch:      linux/amd64

Server:
 Version:      ucp/2.2.0
 API version:  1.30 (minimum version 1.20)
 Go version:   go1.8.3
 Git commit:   f1aca4dc1
 Built:        Wed Aug 16 06:15:15 UTC 2017
 OS/Arch:      linux/amd64
 Experimental: false

• Spotify's dockerfile plugin:
  1.3.5
• Spotify's docker-client version:
  According to here, dockerfile plugin 1.3.5 uses Docker client 8.8.1

Full backtrace

org.apache.maven.plugin.MojoExecutionException: Could not load Docker certificates
        at com.spotify.plugin.dockerfile.AbstractDockerMojo.openDockerClient(AbstractDockerMojo.java:403)
        at com.spotify.plugin.dockerfile.AbstractDockerMojo.tryExecute(AbstractDockerMojo.java:227)
        at com.spotify.plugin.dockerfile.AbstractDockerMojo.execute(AbstractDockerMojo.java:216)
        at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
        at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
        at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
        at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
        at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
        at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
        at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: com.spotify.docker.client.exceptions.DockerCertificateException: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
        at com.spotify.docker.client.DockerCertificates.<init>(DockerCertificates.java:115)
        at com.spotify.docker.client.DockerCertificates.<init>(DockerCertificates.java:63)
        at com.spotify.docker.client.DockerCertificates$Builder.build(DockerCertificates.java:229)
        at com.spotify.docker.client.DefaultDockerClient.fromEnv(DefaultDockerClient.java:2607)
        at com.spotify.plugin.dockerfile.AbstractDockerMojo.openDockerClient(AbstractDockerMojo.java:397)
        ... 24 more
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
        at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
        at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
        at com.spotify.docker.client.DockerCertificates.generatePrivateKey(DockerCertificates.java:149)
        at com.spotify.docker.client.DockerCertificates.readPrivateKey(DockerCertificates.java:135)
        at com.spotify.docker.client.DockerCertificates.<init>(DockerCertificates.java:87)
        ... 28 more
Caused by: java.security.InvalidKeyException: Invalid RSA private key
        at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:206)
        at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:342)
        at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356)
        at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
        at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
        at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
        at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
        ... 32 more
Caused by: java.io.IOException: Version must be 0
        at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:192)

[marcomsousa]

I have also this problem.

Docker Client should support EC private key

[kmarokas]

I have the same problem. My docker server version is ucp/2.2.3. The private key (key.pem) in ucpbundle is EC private key. Further investigation on docker-client source code shows, that in class com.spotify.docker.client. DockerCertificates#generatePrivateKey(PrivateKeyInfo privateKeyInfo) there is hard coded expectation, that the private key must be RSA private key.

I don’t know if it possible to change docker datacenter configuration to use RSA private key. Unfortunately the it support in our company have no idea how to do this. And I think, the docker-client should support both types (EC and RSA) of private keys.

[marcomsousa]

I fix this creating a class MyDockerCertificates that implements DockerCertificatesStore

DefaultDockerClient.builder().uri(URI.create("https://ucp.xxx.xxx"))
			.dockerCertificates(new MyDockerCertificates())).build();

[soufianetomase]

@marcomsousa can you please put the class on git

[chrsoo]

@soufianetomase PR #1007 seems to resolve the issue.

[khajapm]

@marcomsousa, can you please advise if you have added the file with fix to your project codebase or was this pushed into Spotify plugin code?
If added to spotify plugin, which version has this fix, i'm currently using 0.4.11.

Appreciate your help!