Docker Private Registry: x509: certificate signed by unknown authority

I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.

The error I’m getting is:

x509: certificate signed by unknown authority

According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:

EBU[0015] Calling POST /v1.24/images/create?fromImage=docker.squadwars.org%2Froster&tag=latest DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] Trying to pull docker.squadwars.org/roster from https://docker.squadwars.org v2 WARN[0015] Error getting v2 registry: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority ERRO[0015] Attempting next endpoint for pull after error: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority

I also tried renaming the cert file from mydomain.org to simply ‘ca.crt’, which the debug log again shows it seeing, but it didn’t have any effect.

I am able to use curl like so:

curl —key client.key —cert client.cert https://docker.squadwars.org/

I can also add the —cacert option to curl, either way works.

The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions:

(Which is probably why I don’t need -cacert with curl, although I’m confused because I’ve since removed the certificate but curl still works)

This is driving me nuts, any help would be greatly appreciated!

“docker pull” certificate signed by unknown authority

I was trying to pull a docker image from a docker registry but hit the following issue:

I tried with «curl» and get a similar error message:

So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:

After the root cert is imported, I can see curl is working fine as it won’t complain the cert error, however if I use docker pull I still have the same issue. Is docker using different ca-cert location than curl ? How do I fix the issue with docker pull in this situation?

9 Answers 9

You may need to restart the docker service to get it to detect the change in OS certificates.

Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/ /ca.crt . Include the port number if you specify that in the image tag, e.g in Linux.

or in Windows 10:

current/etc/docker/certs.d – Michael Feinstein Jan 8 at 18:51

first create a file — /etc/docker/daemon.json

than run the following to add certs

works without restart

OR

import the cert to system like

save the cert to the file , like the command above (the port is crucial, no need for the protocol)

copy it to /usr/local/share/ca-certificates/

current/etc/docker/certs.d – Michael Feinstein Jan 8 at 18:46

Here is a quick solution:

• Edit or create the file /etc/docker/daemon.json and add insecure-registries :

example for docker.squadwars.org:

• Restart docker daemon

• Create a directory with the same name of the host .

example for docker.squadwars.org:

• Get the certificate and save it to the created directory.

For the MacOS Docker Desktop user:

Go to your repository’s URL in a browser. You may have to accept all security prompts.

Click on the padlock 🔓on the address bar, then click on «Certificate» (on Chrome) or «Show Certificate» (on Safari).

Click and hold down on the big paper icon of the certificate and drag it to a folder of your preference, or the desktop.

Open your terminal (make sure to replace the last argument with the location of your file):

Restart your docker engine.

For my case, the error was on «docker login» command.

The solution I found for my ubuntu:

I downloaded the crt file via firefox (lock icon in the url adress bar) and save it :

For anyone who is using CentOS 7, this is what worked for me:

• Obtain necessary certificate (e.g. from your company)
• Copy the certificate to ca-trust location:

• Update the certificate:

• Reload daemon and restart docker:

By default docker keeps a local Certificate store, in Centos:/etc/sysconfig/docker. In Organizations, the servers usually comes preinstalled with it’s own Root Cert. So if you use cert issued by the organization, docker will not be able to find the organization’s Root Cert. when it refers to its local store. So either you can remove the reference to its local store in /etc/sysconfig/docker or you can delete it’s local Certificate store (Centos:/etc/docker/certs.d). Restarting docker service after you make the change will resolve this issue.

For me I ended up doing this to get it to work:

In my case I had the same problem inside a KIND container. Curl didn’t work there.

and the update-ca-certificate command didn’t work for me. I had to append the CA certificate to the /etc/ssl/certs/ca-certificates.crt file:

And then curl worked properly.

Not the answer you’re looking for? Browse other questions tagged docker ssl curl or ask your own question.

Linked

Related

Hot Network Questions

Subscribe to RSS

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2021.4.16.39093

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

Docker on Windows (Boot2Docker) — certificate signed by unknown authority error

I am running Docker on Windows (boot2docker + Oracle Virtual Box). In my corporate environment they modify the certificates so that the CAs are the company’s self signed CA’s. Thus, the chain ends up like this:

When I try to run any command, such as:

I get this error:

I have found several answers to this problem but always for Linux environments. How can I workaround this problem in Windows?

3 Answers 3

This general issue has been plaguing me for a couple of months. I first noticed it when trying to get a local virtual machine to fetch Python packages, so I already had an idea that certificates would be an issue. I solved it for my VMs, but hadn’t until today been able to work out a solution for Docker. The trick is to add the certificates to Docker’s cert store and have them persist. This is accomplished by using a bootlocal.sh script that executes every time the machine starts.

I assume if you’ve already found the answers for Linux, you already know the first steps. I will document them here for the sake of being thorough, because others may not have gotten this far. Start with #3 below if you’ve already done #1 and #2 by way of previous attempts.

Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization. Export each (I have two), one at a time. You can either choose DER format and do step #2 below to convert to PEM, or you can choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem and skip step #2.

Once you have them saved to a known location, you will want to convert them to PEM format unless you save as duch. The easiest way I found to do this was to run the openssl.exe[1] command from within the Docker Quickstart Terminal.

Once you have the .pem files, you will want to copy them to a location to which your Docker machine has access to. Typically for MS Windows, you’ll have /c/Users of the host machine automatically mounted inside your docker machine. I made a directory in c:\Users\my.username\certs and copied them there.

This step may not be strictly necessary, but it’s what I did, and it works. You will want to copy those certificates into your boot2docker partition, which is persistent. I am connecting to my default machine, which IS something you will need to do for Step 5.

Now it’s time to write a bootlocal.sh script, which will copy the certificates to the proper location each time the system starts.[2] If you haven’t already, open an SSH connection to the machine, per Step 4.

Insert the following and save the file:

Restart the machine, either by using the reboot command from within the machine, or by using the docker-machine command from the Docker terminal:

Now you should be able to run ‘hello-world’ and others. I hope this helps.

access private registry: x509: certificate signed by unknown authority #8849

Comments

hustcat commented Oct 30, 2014

I setup docker-registry with nginx by following here.

I run ‘docker login’, get this error:

docker daemon’s output:

The text was updated successfully, but these errors were encountered:

tiborvass commented Nov 4, 2014

@hustcat As of Docker 1.3.1, you can do —insecure-registry dev.registry.com:5000 you can replace 5000 with whichever port your registry is listening on.

I’m closing this now, but let us know in the comments if this did not solve your issue.

behemphi commented Nov 4, 2014

I am leaving this here b/c it took me a few minutes to figure it out, and might save someone the time. The command would be:

%> docker —insecure-registry=docker-registry.example.com:8080 login https://docker-registry.example.com:8080

Thanks for getting the switch put in place for 1.3!

rhasselbaum commented Jan 19, 2015

I am facing the same problem. The certificate validation works for the ping (and pushing/pulling), but not login.

The —insecure-registry flag is a workaround, not a fix. The certificate validation should work if the CA certificate is loaded into /etc/docker/certs.d/ , but it doesn’t.

cdub50 commented Jan 19, 2015

I cant event get it to work by setting —insecure-registry I am on docker 1.3.2 on RedHat 7

[root@ip-10-2-20-209 ec2-user]# docker —insecure-registry=qa.docker.repo login https://qa.docker.repo
Username: qa
Password:
Email: qa@user.com
2015/01/19 14:26:40 Error response from daemon: Server Error: Post https://qa.docker.repo/v1/users/: x509: certificate signed by unknown authority

curl works fine when I use the generated ca.pem file.

mariopirker commented Jan 19, 2015

I’m having the same issue on docker version 1.3.2 and opensuse 13.1. I even tried to statically pass —cafile cacert.pem to every curl call (since I assumed docker internally just uses curl), however, this also did not help.

Any help would be much appreciated.

ghost commented Jan 19, 2015

Before I found this issue, I opened #10150. They appear to be the same issue.

jeffutter commented Jan 20, 2015

I seem to be having the same issue. Archlinux client 1.4.1 and the registry running from the official docker container. Anyone have any thoughts?

grimmy commented Jan 20, 2015

If you’ve installed the cert globally (via ca-certificates) make sure you restart docker as it won’t reload the global ssl certs. That said, mine still isn’t working, but I ran into that at work 🙂

mariopirker commented Jan 20, 2015

Thank you grimmy, that did the trick on my end and it finally works. I did:

1. Get cacert.pem from http://curl.haxx.se/docs/caextract.html
2. Copy the cacert.pem file to /etc/pki/trust/anchors/
3. sudo update-ca-certificates
4. sudo systemctl docker stop
5. sudo systemctl docker start

rhasselbaum commented Jan 20, 2015

Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:

1. Copy CA cert to /usr/local/share/ca-certificates .
2. sudo update-ca-certificates
3. sudo service docker restart

There is still a bug here, though. The docs say to install the CA cert in /etc/docker/certs.d/ , and clearly that isn’t sufficient. In fact, after installing the certificate globally, I removed the one in /etc/docker/certs.d , restarted Docker, and it still worked.

GaretJax commented Jul 8, 2015

+1 for reopening this, as @rhasselbaum mentioned

cjw296 commented Sep 16, 2015

Has —insecure-registry gone away?

What should we use now?

cdub50 commented Sep 16, 2015

that goes in the docker config file you can check if its set by looking at
the docker process you should see the —insecure-registry flag

On Wed, Sep 16, 2015 at 3:01 AM, Chris Withers notifications@github.com
wrote:

$ docker —version
Docker version 1.8.2, build 0a8c2e3

$ docker —insecure-registry
flag provided but not defined: —insecure-registry
See ‘docker —help’.

What should we use now?

—
Reply to this email directly or view it on GitHub
#8849 (comment).

hchaithanya commented Oct 8, 2015

I got the same error for docker pull command and I think the following should work.
Copy the SSL certificate which is the ‘.crt’ file to the directory

sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
Let Ubuntu add the ‘.crt’ file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf

sudo dpkg-reconfigure ca-certificates

carloshpds commented Nov 30, 2015

if your machine state is not important, so you can run docker-machine rm and create another one 😉

rezonant commented Feb 16, 2016

If you use LetsEncrypt and you don’t want to run anything without proper TLS, make sure to provide the full chain of the certificate including intermediates (ie REGISTRY_HTTP_TLS_CERTIFICATE=. /fullchain.pem) you may see green in Chrome while still getting this error from Docker.

JazzDeben commented Sep 16, 2016 •

On Ubuntu. If you experience error:

• x509: cannot validate certificate for [IP address or domain name] because it doesn’t contain any IP SANs

On the Docker registry the certificate had to be compiled with the subjectAltName as described here:
https://docs.docker.com/engine/security/https/

Here is the code for convenience:
$ echo subjectAltName = IP:10.10.10.20,IP:127.0.0.1 > extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

Note, I was able to check the subject alternative name is present in the certificate using the following command:
openssl x509 -in certificate.crt -text -noout

However, on Ubuntu 14 client (i.e. Docker Engine)
This error was followed suit by
x509: certificate signed by unknown authority

For people using Ubuntu 14.
The config file that is used for the Docker engine (that I want to use to connect to the Docker Registry):
/etc/default/docker

in there, you need to specify the docker options:
DOCKER_OPTS=»—insecure-registry myinsecure.com:5000″

Then restart the daemon (add sudo if you user is not allowed to start a docker service):
$ [sudo] service docker restart

The value does not need to be a domain name, it simply has to match what you certificate is registered with; I have an IP address with a port and this works. (i.e. e.g. 100.100.100.100:100)

All this took me a day, so, I am posting this hoping that it will be useful to other people.

sallespro commented Oct 4, 2016 •

@JazzDeben Thanks for your remarks ! very useful ! i am not sure how to do it with a Let’s Encript certbot generated certificate.
i get this error in the registry server

Chrome complains about ERR_BAD_SSL_CLIENT_AUTH_CERT
if i include

david-drinn commented Oct 6, 2016 •

@cjw296 For RHEL7.2, I edited the file, /usr/lib/systemd/docker.service , and in the ExecStart line added the —insecure-registry=your.docker.registry.com .

Then I ran sudo systemctl daemon-reload to pick up the configuration change, followed by sudo systemctl restart docker . And now it works.

To be honest, I’m still a systemd noob and there are probably better ways to do this more cleanly. But I struggled with this for too long, and wanted to post a workaround. Thanks to @cdub50 for leading me in the right direction.

dovecode commented May 5, 2017

@david-drinn For Fedora 25, I did something similar, but since the docker daemon config (in /usr/lib/systemd/system/docker.service ) sources setup from configuration files, I made the change in /etc/sysconfig/docker :

FCA69 commented May 19, 2017

If curl is working and docker not, you can:
o create the «/etc/docker/certs.d//. » directory & files (valid for private registries only ?)
o add a «tlscert» entry in your «/etc/docker/daemon.json» file, so that dockerd uses the same certificates as curl does.

antoniomercado commented Jun 6, 2017

To those that run into this issue and you have self signed certificates and you do not want to use the «insecure-registry» directive then you need to load your self signed certificates into /etc/docker/certs.d// . After loading them in remember to RESTART docker daemon. To elaborate some more.

If your registry is hosted at https://exampleregistry.com you should have a directory called /etc/docker/certs.d/exampleregistry.com with your self-signed certs inside. Now you will be able to do docker login exampleregistry.com with no x509 error.
Now here is a caveat to all this, lets say you want to for some reason explicitly define the port in your login command like this docker login exampleregistry.com:443 (which would make no sense, but this is just an example) then you need to ensure that your self signed certificates are inside a folder called /etc/docker/certs.d/exampleregistry.com:443/ . Docker makes no assumptions about certs resolving based on hostname only when using a port. You have to actually provide certs on a per port basis by loading your self signed certs into a folder name that includes the port you are trying to access.

Hopefully this saves many of you guys a lot of debugging who are using ports to connect to your docker registry.

abdasgupta commented Jul 18, 2017 •

This is not resolved in my case:
I want to use a self-signed certificate for nexus OSS repository. But I am getting this error: Error response from daemon: Get https:// :10250/v1/users/: x509: certificate signed by unknown authority