Menu
I was trying to pull a docker image from a docker registry but hit the following issue:
$ docker pull <docker registry>/<image name>/<tag> Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority I tried with "curl" and get a similar error message:
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:
cp root_cert.cer /etc/pki/ca-trust/source/anchors/ update-ca-trust After the root cert is imported, I can see curl is working fine as it won't complain the cert error, however if I use docker pull I still have the same issue. Is docker using different ca-cert location than curl? How do I fix the issue with docker pull in this situation?
226
How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.
The docker daemon does not trust the self-signed certificate, which is causing the x509 error. This may occur due to the expiration of the current certificate, due to a changed hostname, and other changes.
So the solution to is simple – install the Root CA certificates on the server. That's it – now the error should be gone. If you don't know the root CA, open the URL that gives you the error in a browser (i.e. Chrome). Click the lock next to the URL and select Certificate (Valid).
A custom certificate is configured by creating a directory under /etc/docker/certs.
first create a file - /etc/docker/daemon.json
than run the following to add certs
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt works without restart
OR
import the cert to system like
save the cert to the file , like the command above (the port is crucial, no need for the protocol)
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt copy it to /usr/local/share/ca-certificates/
sudo cp ca.crt /usr/local/share/ca-certificates/ run update-ca-certificates
sudo update-ca-certificates restart docker !
41
You may need to restart the docker service to get it to detect the change in OS certificates.
Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g in Linux.
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt or in Windows 10:
C:\ProgramData\docker\certs.d\ca.crt If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
