docker-compose pull results in x509: certificate signed by unknown authority

Question

I'm hitting the following error when trying to pull the elastcisearch images from dockerhub.

docker-compose pull
Pulling elasticsearch (elasticsearch:2.2.0)...
Pulling repository docker.io/library/elasticsearch
ERROR: Error while pulling image: Get https://index.docker.io/v1/repositories/library/elasticsearch/images: x509: certificate signed by unknown authority
Failed to run with docker-compose

My company has an Intermediate Root CA that I suspect is causing the problem. Any ideas how I should configure Docker to use the company Root CA?

Answer 1

I resolved the problem by adding the CA root .crt file the following directory: /etc/docker/certs.d/docker.io

Steps to resolve on Unbuntu 14:04 with Docker version 1.10.0, build 590d5108 and docker-compose version 1.6.0, build d99cad6:

• In Internet Explorer browse to docker.io/library/elasticsearch and export the companies Intermediate Root CA cert using DER format
• On Ubuntu mkdir -p /etc/docker/certs.d/docker.io/
• cp <cert from step one>.crt /etc/docker/certs.d/docker.io/
• service docker restart
• docker-compose pull now works and elasticsearch image downloads

More info here: https://docs.docker.com/engine/security/certificates/

Answer 2

1. Export the SSL certificate using Firefox.
   • Hit the URL in Firefox
   • Click on advanced, if you see warning or the lock on the URL bar.
   • Export the certificate(In Details tab)
   • Let's assume the cert file name is your.ssl.server.name.crt
2. Copy CA cert to /usr/local/share/ca-certificates.
3. sudo update-ca-certificates
4. sudo service docker restart

Answer 3

On native docker (I'm on a mac), this can be resolved by adding to the insecure registries configuration. Preferences > Advanced > Insecure Registries