From d175ef6773708afef5982d233ad600f18cf2cdc2 Mon Sep 17 00:00:00 2001
From: Phil Estes <estesp@linux.vnet.ibm.com>
Date: Fri, 5 Jun 2015 16:48:59 -0400
Subject: [PATCH] Add better client error for client certificate failure
 (missing or denied)

This adds a more meaningful error on the client side so the "bad
certificate" error coming from the TLS dial code has some context for
the user.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
---
 api/client/utils.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/client/utils.go b/api/client/utils.go
index 8f1188d8ed..8397b2cd25 100644
--- a/api/client/utils.go
+++ b/api/client/utils.go
@@ -102,6 +102,10 @@ func (cli *DockerCli) clientRequest(method, path string, in io.Reader, headers m
 		if cli.tlsConfig == nil {
 			return serverResp, fmt.Errorf("%v.\n* Are you trying to connect to a TLS-enabled daemon without TLS?\n* Is your docker daemon up and running?", err)
 		}
+		if cli.tlsConfig != nil && strings.Contains(err.Error(), "remote error: bad certificate") {
+			return serverResp, fmt.Errorf("The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: %v", err)
+		}
+
 		return serverResp, fmt.Errorf("An error occurred trying to connect: %v", err)
 	}