"docker pull" certificate signed by unknown authority
I was trying to pull a docker image from a docker registry but hit the following issue:
$ docker pull <docker registry>/<image name>/<tag> Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority
I tried with "curl" and get a similar error message:
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:
cp root_cert.cer /etc/pki/ca-trust/source/anchors/ update-ca-trust
After the root cert is imported, I can see
curl is working fine as it won't complain the cert error, however if I use
docker pull I still have the same issue. Is
docker using different ca-cert location than
curl? How do I fix the issue with
docker pull in this situation?
You may need to restart the docker service to get it to detect the change in OS certificates.
Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside
/etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g.
For my case, the error was on "docker login" command.
The solution I found for my ubuntu:
I downloaded the crt file via firefox (lock icon in the url adress bar) and save it : ~/mydomain:1234.crt
After that :
cp ~/mydomain:1234.crt /usr/local/share/ca-certificates/ update-ca-certificates service docker restart
By default docker keeps a local Certificate store, in Centos:/etc/sysconfig/docker. In Organizations, the servers usually comes preinstalled with it's own Root Cert. So if you use cert issued by the organization, docker will not be able to find the organization's Root Cert. when it refers to its local store. So either you can remove the reference to its local store in /etc/sysconfig/docker or you can delete it's local Certificate store (Centos:/etc/docker/certs.d). Restarting docker service after you make the change will resolve this issue.
- The answer here didn't resolve my issue , the official docs had the answer for me - docs.docker.com/registry/insecure . For me the certificate paths and update command are different for Red Hat and Ubuntu .
- @LostNomad311 thank you, the docs also helped me solve my issue
service docker restartfixed the issue after my change! The other note is useful as I can trust specific docker registries without affecting other applications.
- XXX: Creating empty
/etc/docker/daemon.jsonand restarting docker with
systemctl restart dockercaused my docker daemon to die. I had to remove created file to be able to run it again.