I was trying to pull a docker image from a docker registry but hit the following issue:
$ docker pull <docker registry>/<image name>/<tag>
Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority
I tried with «curl» and get a similar error message:
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:
cp root_cert.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust
After the root cert is imported, I can see curl is working fine as it won’t complain the cert error, however if I use docker pull I still have the same issue. Is docker using different ca-cert location than curl? How do I fix the issue with docker pull in this situation?
asked Jun 8, 2018 at 20:57
3
You may need to restart the docker service to get it to detect the change in OS certificates.
Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g in Linux.
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
or in Windows 10:
C:ProgramDatadockercerts.dca.crt
Spyros K
2,4001 gold badge24 silver badges37 bronze badges
answered Jun 8, 2018 at 21:08
BMitchBMitch
214k40 gold badges456 silver badges428 bronze badges
3
-
first create an empty json file
cat << EOF > /etc/docker/daemon.json { } EOF -
than run the following to add certs
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt
works without restart
OR
import the cert to system like
-
save the cert to the file , like the command above (the port is crucial, no need for the protocol)
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt -
copy it to /usr/local/share/ca-certificates/
sudo cp ca.crt /usr/local/share/ca-certificates/ -
run update-ca-certificates
sudo update-ca-certificates -
restart docker !
answered Mar 20, 2019 at 12:08
mati kepamati kepa
2,16318 silver badges23 bronze badges
6
Here is a quick solution:
- Edit or create the file
/etc/docker/daemon.jsonand addinsecure-registries:
example for docker.squadwars.org:
{
"insecure-registries" : ["docker.squadwars.org:443"]
}
- Restart docker daemon
systemctl restart docker
- Create a directory with the same name of the host .
example for docker.squadwars.org:
mkdir -p /etc/docker/certs.d/docker.squadwars.org
- Get the certificate and save it to the created directory.
ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | openssl s_client -showcerts -connect docker.squadwars.org:443) -scq > /etc/docker/certs.d/docker.squadwars.org/docker_registry.crt
BuZZ-dEE
5,49410 gold badges65 silver badges94 bronze badges
answered Jan 31, 2020 at 18:23
1
For the MacOS Docker Desktop user:
Go to your repository’s URL in a browser. You may have to accept all security prompts.
Click on the padlock 🔓on the address bar, then click on «Connection is secure/Certificate is valid» (on Chrome) or «Show Certificate» (on Safari), and a certificate window popup will appear.
For Chrome users, click on tab «Details» and button «Export» at the bottom to export the certificate file.
For Safari users, Click and hold down on the big paper icon of the certificate and drag it to a folder of your preference, or the desktop.
Open your terminal (make sure to replace the last argument with the location of your file):
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ~/<<<somefolder>>>/<<<yourserver.cer>>>
Restart your docker engine.
answered Nov 16, 2020 at 3:18
Zero DistractionZero Distraction
1,3663 gold badges16 silver badges24 bronze badges
For my case, the error was on «docker login» command.
The solution I found for my ubuntu:
I downloaded the crt file via firefox (lock icon in the url adress bar) and save it : ~/mydomain:1234.crt
After that :
cp ~/mydomain:1234.crt /usr/local/share/ca-certificates/
update-ca-certificates
service docker restart
answered Jun 16, 2020 at 8:42
jfgiraudjfgiraud
3013 silver badges3 bronze badges
3
for Ubuntu 20
sudo update-ca-certificates --fresh
openssl s_client -showcerts -verify 5 -connect registry-1.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/docker.crt
openssl s_client -showcerts -verify 5 -connect production.cloudflare.docker.com:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/docker-com.crt
sudo cp ~/docker-com.crt /usr/local/share/ca-certificates/.
sudo cp ~/docker.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo service docker restart
answered Jun 15, 2022 at 3:35
m0z4rtm0z4rt
9952 gold badges16 silver badges24 bronze badges
1
For me I ended up doing this to get it to work:
sudo cp -p abc.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust
sudo update-ca-trust extract
sudo systemctl daemon-reload
sudo systemctl restart docker
answered Dec 8, 2020 at 20:46
andrewpsandrewps
3013 silver badges6 bronze badges
For anyone who is using CentOS 7, this is what worked for me:
- Obtain necessary certificate (e.g. from your company)
- Copy the certificate to ca-trust location:
sudo cp -p abc.crt /etc/pki/ca-trust/source
- Update the certificate:
sudo update-ca-trust extract
- Reload daemon and restart docker:
sudo systemctl daemon-reload
sudo systemctl restart docker
answered Aug 26, 2020 at 12:31
Minh NguyenMinh Nguyen
7202 silver badges11 bronze badges
1
Didn’t see this mentioned in any of the answers. Here is the official docker documentation for setting up certs for each specific domain. This goes along with the most accepted answer. https://docs.docker.com/engine/security/certificates/
Path for:
- Linux:
/etc/docker/certs.d/[domain of relevent cert]/[cert].crt - Windows:
C:/ProgramData/Docker/certs.d/[domain of relevent cert]/[cert].crt
If you are using WSL or WSL2 you will place the cert in the windows location.
A key problem that I encountered was that the extension of the cert is important to docker. I was not able to resolve the issue with a .cer ssl cert but was with .crt.
Romain
18.8k6 gold badges56 silver badges62 bronze badges
answered Dec 2, 2021 at 15:39
SethSeth
412 bronze badges
By default docker keeps a local Certificate store, in Centos:/etc/sysconfig/docker.
In Organizations, the servers usually comes preinstalled with it’s own Root Cert.
So if you use cert issued by the organization, docker will not be able to find the organization’s Root Cert. when it refers to its local store.
So either you can remove the reference to its local store in /etc/sysconfig/docker or you can delete it’s local Certificate store (Centos:/etc/docker/certs.d).
Restarting docker service after you make the change will resolve this issue.
answered Jun 25, 2020 at 1:14
In my case I had the same problem inside a KIND container. Curl didn’t work there.
curl https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
and the update-ca-certificate command didn’t work for me.
I had to append the CA certificate to the /etc/ssl/certs/ca-certificates.crt file:
cat /ca_cert.pem >> /etc/ssl/certs/ca-certificates.crt
And then curl worked properly.
answered Jan 5, 2021 at 15:17
AlexAlex
3,1142 gold badges30 silver badges30 bronze badges
update ca without restart docker,and use root ca.cert, replace registry.clickpaas.tech with your domain:
sudo yum -y update ca-certificates;
sudo mkdir -p /etc/docker/certs.d/registry.clickpaas.tech/;
sudo cp /etc/ssl/certs/ca-bundle.crt /etc/docker/certs.d/registry.clickpaas.tech/;
answered Oct 9, 2021 at 4:15
In Windows you can just follow instruction (much easier than other approaches which I found):
Open Windows Explorer, right-click the certificate, and choose Install
certificate.Then, select the following options:
- Store location: local machine
- Check place all certificates in the following store
- Click Browser, and select Trusted Root Certificate Authorities
- Click Finish
After adding the CA certificate to Windows, restart Docker Desktop
for Windows.
Also it’s important to choose correct options!
Here I found this instruction:
https://docs.docker.com/registry/insecure/#windows
answered Nov 13, 2022 at 13:27
This is not resolved in my case:
I want to use a self-signed certificate for nexus OSS repository. But I am getting this error: Error response from daemon: Get https://<mydomain.com>:10250/v1/users/: x509: certificate signed by unknown authority
I have placed the .crt file in /etc/docker/certs.d as well as /usr/share/ca-certificates on my ubuntu 16.04 om intel machine. I ran then update-ca-certificates and restarted docker. this is my cert file nexus.cert:
$ openssl x509 -in nexus.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IN, ST=State, L=City, O=XYZ, OU=x, CN=<mydomain.com>
Validity
Not Before: Jul 17 20:28:26 2017 GMT
Not After : Jul 17 20:28:26 2018 GMT
Subject: C=IN, ST=State, L=City, O=XYZ, OU=x, CN=<mydomain.com>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b8:2c:97:c2:e4:bf:7a:e1:49:22:9b:a2:90:7a:
3a:de:3d:d3:f5:e9:c9:8b:9b:c8:13:37:4b:36:32:
4f:a7:0d:b9:53:4c:f4:10:fa:e7:d2:64:a5:e9:0a:
32:49:c3:aa:f8:2c:27:82:94:85:c3:11:07:a7:d0:
6c:0a:4a:45:66:94:cb:d3:27:28:cd:58:43:5b:f9:
e1:66:97:52:81:be:03:53:d5:e1:84:0c:4f:89:fd:
78:6d:8f:88:cf:29:af:6d:14:2e:2e:dc:d4:f3:87:
1c:73:5e:35:cb:d2:95:58:20:55:c0:f5:89:e1:40:
64:16:cd:25:a8:bd:6b:6a:9c:21:b0:97:d2:67:63:
5c:3c:4a:2c:21:1a:72:3a:68:c6:a0:e2:ea:4d:f8:
db:bd:02:81:93:db:60:51:ad:6e:bf:d7:7d:45:43:
95:e1:a5:d7:de:36:76:7c:a4:d7:4a:7f:b2:b1:98:
75:7d:27:2c:1d:ad:03:1b:5f:8a:ac:12:5e:76:9c:
2a:f7:03:b0:51:6c:23:a4:df:08:1f:02:0c:42:b6:
ff:7f:33:16:b0:86:fc:92:e7:db:7a:3b:a2:70:30:
f4:79:fa:f1:0f:75:0f:32:69:79:97:73:f4:de:11:
3e:bf:f8:63:49:21:dc:02:c6:ef:de:91:74:03:6d:
21:56:2e:c6:04:d1:02:30:73:6e:52:c7:93:07:6c:
f9:98:ff:1c:cc:dd:da:c7:45:2e:7b:ab:04:33:fe:
39:6c:5d:d5:dd:46:ae:25:d6:fd:9d:01:ae:8a:e8:
14:18:cc:6e:64:e4:11:8a:ce:3d:30:56:6d:0c:a7:
83:90:6c:f5:14:36:16:39:cc:10:7a:db:35:f6:9c:
68:da:84:f6:9c:07:d0:3e:b7:52:54:03:75:9a:ae:
eb:79:b5:5f:cb:10:cf:25:08:ae:f7:b3:13:79:f4:
4a:98:72:08:e3:23:e2:22:a1:31:47:41:ec:a4:76:
42:db:1c:46:31:3c:a2:14:14:94:bf:4f:1e:1f:85:
a0:9c:4c:3d:af:92:7a:90:d1:ad:23:f0:ea:3e:7d:
b4:21:79:f9:82:3a:16:04:42:60:b8:5d:15:1c:48:
9b:1e:b5:9b:0d:1f:aa:56:aa:a2:1a:a5:6f:ef:ab:
2a:22:6d:05:19:c0:2b:dc:46:c4:c2:4a:f8:89:25:
fc:dc:e6:ab:7b:8a:76:de:47:a3:e2:00:0e:d7:e8:
bd:86:86:d3:8d:6b:56:63:bf:40:1e:31:d7:74:fe:
63:fc:7e:e2:9f:21:31:1d:39:2a:44:a5:56:fd:dd:
66:5e:c2:4f:94:c7:ee:26:89:1a:d1:6b:13:00:f6:
4f:72:9b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
25:26:77:55:50:0a:66:39:5f:79:c7:5e:af:5f:54:e2:92:6f:
62:e5:90:3a:0f:de:9b:7a:02:df:66:47:c5:71:61:91:c4:74:
ba:0e:55:34:47:0b:72:c5:f5:27:5d:d0:d6:06:a9:f7:5c:d5:
41:30:4c:0f:0b:3a:3c:64:13:a0:28:9b:10:92:0e:c8:eb:e8:
0f:00:ba:54:9d:d4:7a:8c:cd:f7:91:a9:55:69:0f:9b:12:77:
e9:f2:28:c8:cb:07:d4:ab:a4:eb:b2:3d:ae:b4:6d:7a:15:85:
cb:07:f6:e3:6b:58:1c:26:0a:ad:d5:e6:7c:b7:e7:19:6c:d1:
31:80:5e:cb:17:85:88:a2:6c:fc:fe:3c:28:1f:f9:87:a6:0f:
f6:85:d2:c0:76:25:fb:52:2f:8a:99:0c:88:4e:bd:84:6b:da:
81:b4:41:f1:bf:1c:e7:7d:93:a5:e2:d7:66:8a:63:bf:9c:c4:
ad:ea:cb:c4:c6:7d:1f:95:35:87:60:8b:e8:23:e8:4e:36:43:
5e:86:de:c4:35:e0:29:7a:93:90:a4:9b:c3:d1:8e:13:55:9f:
ea:ab:52:0a:a8:a0:54:cf:f4:5e:ff:12:40:09:43:3c:e7:55:
e7:c1:de:62:ce:21:39:f5:d3:51:7a:92:f2:b2:3c:75:8c:1f:
bd:aa:13:63
-----BEGIN CERTIFICATE-----
MIIEPDCCAyQCAQEwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UEBhMCSU4xEjAQBgNV
BAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNJQk0x
DDAKBgNVBAsTA2x0YzERMA8GA1UEAxMIbHRjeC5jb20wHhcNMTcwNzE3MjAyODI2
WhcNMTgwNzE3MjAyODI2WjBkMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDDAKBgNVBAoMA0lCTTEMMAoGA1UECwwD
bHRjMREwDwYDVQQDDAhsdGN4LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBALgsl8Lkv3rhSSKbopB6Ot490/XpyYubyBM3SzYyT6cNuVNM9BD659Jk
pekKMknDqvgsJ4KUhcMRB6fQbApKRWaUy9MnKM1YQ1v54WaXUoG+A1PV4YQMT4n9
eG2PiM8pr20ULi7c1POHHHNeNcvSlVggVcD1ieFAZBbNJai9a2qcIbCX0mdjXDxK
LCEacjpoxqDi6k34270CgZPbYFGtbr/XfUVDleGl1942dnyk10p/srGYdX0nLB2t
AxtfiqwSXnacKvcDsFFsI6TfCB8CDEK2/38zFrCG/JLn23o7onAw9Hn68Q91DzJp
eZdz9N4RPr/4Y0kh3ALG796RdANtIVYuxgTRAjBzblLHkwds+Zj/HMzd2sdFLnur
BDP+OWxd1d1GriXW/Z0BroroFBjMbmTkEYrOPTBWbQyng5Bs9RQ2FjnMEHrbNfac
aNqE9pwH0D63UlQDdZqu63m1X8sQzyUIrvezE3n0SphyCOMj4iKhMUdB7KR2Qtsc
RjE8ohQUlL9PHh+FoJxMPa+SepDRrSPw6j59tCF5+YI6FgRCYLhdFRxImx61mw0f
qlaqohqlb++rKiJtBRnAK9xGxMJK+Ikl/Nzmq3uKdt5Ho+IADtfovYaG041rVmO/
QB4x13T+Y/x+4p8hMR05KkSlVv3dZl7CT5TH7iaJGtFrEwD2T3KbAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBACUmd1VQCmY5X3nHXq9fVOKSb2LlkDoP3pt6At9mR8Vx
YZHEdLoOVTRHC3LF9Sdd0NYGqfdc1UEwTA8LOjxkE6AomxCSDsjr6A8AulSd1HqM
zfeRqVVpD5sSd+nyKMjLB9SrpOuyPa60bXoVhcsH9uNrWBwmCq3V5ny35xls0TGA
XssXhYiibPz+PCgf+YemD/aF0sB2JftSL4qZDIhOvYRr2oG0QfG/HOd9k6Xi12aK
Y7+cxK3qy8TGfR+VNYdgi+gj6E42Q16G3sQ14Cl6k5Ckm8PRjhNVn+qrUgqooFTP
9F7/EkAJQzznVefB3mLOITn101F6kvKyPHWMH72qE2M=
-----END CERTIFICATE-----
December 5th at 6:37am
While setting up a new private docker image registry with certificates signed by an internal certificate authority this week we ran into an issue getting our docker nodes to communicate:
Error response from daemon: Get https://private.registry.tld/v2/: x509: certificate signed by unknown authority
Following the guidance on self-signed certificates from Docker did not directly address the issue.
References
- Use Self Signed Certificates [docs.docker.com]
- Support for intermediate certificates [github.com/docker]
- Include configuration explanation for intermediate TLS certificates [github.com/docker]
- Error response from daemon: Missing certificate domain.cert for key domain.key [github.com/docker]
- Documentation on setting up certificates in docker engine should not have been removed [github.com/moby]
Error Messages
Error response from daemon: missing key ca.key for client certificate ca.cert. Note that CA certificates should use the extension .crtError response from daemon: Get https://private.registry.tld/v2/: x509: certificate signed by unknown authority
While investigating these errors we discovered a few things about pinning certificates to custom private image registries in Docker:
- How you name your ca certificate matters:
ca.crtshould be the CA certificate (and intermediate root certificates concatenated as well, if any)client.certandclient.keyshould be used for client certificate based authentication- If you name your CA certificate something else it may not work
Solution
In our case we found that while we used the correct root certificate, we were not given the correct intermediate root certificates. Once we had those and concatenated them together (with the Root CA as the first cert, intermediates following as chained) and named the resulting file ca.crt the problem went away.
For reference, to get a custom root certificate to be recognized by docker you must create a folder with the name of your registry (whether it be by IP address or DNS Name) and place the certificate beneath it like so:
/etc/docker/certs.d/name.or.ip.of.registry/ca.crt
** This needs to be done on every docker host that needs to connect to the registry
With more recent versions of docker you DO NOT have to restart the docker daemon for the changes to take effect (tested on 18.09 docker release)