"docker pull" certificate signed by unknown authority

Asked 8/6, 2018 at 20:57 Answered 2/2 at 10:34

132

I was trying to pull a docker image from a docker registry but hit the following issue:

$ docker pull <docker registry>/<image name>/<tag> 
Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority

I tried with "curl" and get a similar error message:

 curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.

So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:

cp root_cert.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust

After the root cert is imported, I can see curl is working fine as it won't complain the cert error, however if I use docker pull I still have the same issue. Is docker using different ca-cert location than curl? How do I fix the issue with docker pull in this situation?

Irisation answered 8/6, 2018 at 20:57 Comment(2)

The answer here didn't resolve my issue , the official docs had the answer for me - docs.docker.com/registry/insecure . For me the certificate paths and update command are different for Red Hat and Ubuntu . – Shier 11/6, 2019 at 19:51

On my case, I was in a vbox with linux. First attempt got me this error. But in a second attempt the error dissapear – Matriculate 3/3, 2022 at 20:40

127

After updating OS certificates, you typically need to restart the docker service to get it to detect that change. This is usually done with:

sudo systemctl restart docker

or for non-systemd environments:

sudo service docker restart

Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g in Linux.

/etc/docker/certs.d/my-registry.example.com:5000/ca.crt

or for snap based installs:

/var/snap/docker/~current/etc/docker/certs.d/my-registry.example.com:5000/ca.crt

or in Windows 10:

C:\ProgramData\docker\certs.d\ca.crt

If you don't already have the certificate, you can extract it using openssl. Note that this implicitly trusts whatever the registry currently says their certificate is, exposing you to MitM attacks. This can be useful as a TOFU (trust on first use) if you are not in an ephemeral environment:

openssl s_client -showcerts -connect my-registry.example.com:5000 < /dev/null \
  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Revetment answered 8/6, 2018 at 21:8 Comment(3)

Thanks! service docker restart fixed the issue after my change! The other note is useful as I can trust specific docker registries without affecting other applications. – Irisation 8/6, 2018 at 21:18

After doing the steps above I got rid of x509: certificate signed by unknown authority but then I got 401 Unauthorized errors. To solve I needed to docker login <docker registry> – Fontanel 14/3, 2021 at 16:0

We installed Docker in Ubuntu as a snap therefore to restart the service we ran the command service snap.docker.dockerd restart – Rhodonite 16/2 at 15:50

first create an empty json file

cat << EOF > /etc/docker/daemon.json
{ }
EOF

than run the following to add certs

openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt

works without restart

import the cert to system like

save the cert to the file , like the command above (the port is crucial, no need for the protocol)

openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt

copy it to /usr/local/share/ca-certificates/

sudo cp ca.crt /usr/local/share/ca-certificates/

run update-ca-certificates
```
sudo update-ca-certificates
```
restart docker !

Ordnance answered 20/3, 2019 at 12:8 Comment(6)

XXX: Creating empty /etc/docker/daemon.json and restarting docker with systemctl restart docker caused my docker daemon to die. I had to remove created file to be able to run it again. – Ecosphere 2/8, 2019 at 14:17

In my case I had to also include {"insecure-registries":["<registry_address>:<registry_port>"]} in /etc/docker/daemon.json to make it work. – Dinnage 8/11, 2020 at 14:59

Thanks It worked like a charm, but I need to do the copy with sudo – Brooklet 18/12, 2020 at 21:36

Note: if you are using snap then the correct path is: /var/snap/docker/~current/etc/docker/certs.d – Stanwood 8/1, 2021 at 18:46

instead of empty /etc/docker/daemon.json create a valid empty JSON file /etc/docker/daemon.json. A valid empty json daemon.json file contains only curly brackets with space between brackets!!! --> { } – Ingrown 30/3, 2022 at 9:5

Note: when putting the cert into /usr/local/share/ca-certificates It must end with crt – Talent 29/4 at 14:7

Here is a quick solution:

Edit or create the file /etc/docker/daemon.json and add insecure-registries:

example for docker.squadwars.org:

{
    "insecure-registries" : ["docker.squadwars.org:443"]
}

Restart docker daemon

systemctl restart docker

Create a directory with the same name of the host .

example for docker.squadwars.org:

mkdir -p /etc/docker/certs.d/docker.squadwars.org

Get the certificate and save it to the created directory.

ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | openssl s_client -showcerts -connect docker.squadwars.org:443) -scq > /etc/docker/certs.d/docker.squadwars.org/docker_registry.crt

Cathleencathlene answered 31/1, 2020 at 18:23 Comment(2)

Why you need to install cert if you instruct docker to be "insecure"? – Masonite 12/12, 2022 at 19:55

Do not do this, you open yourself up to man in the middle attacks by allowing insecure registries. – Avery 25/4 at 4:21

For the MacOS Docker Desktop user:

Go to your repository's URL in a browser. You may have to accept all security prompts.

Click on the padlock 🔓on the address bar, then click on "Connection is secure/Certificate is valid" (on Chrome) or "Show Certificate" (on Safari), and a certificate window popup will appear.

For Chrome users, click on tab "Details" and button "Export" at the bottom to export the certificate file.

For Safari users, Click and hold down on the big paper icon of the certificate and drag it to a folder of your preference, or the desktop.

Open your terminal (make sure to replace the last argument with the location of your file):

security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ~/<<<somefolder>>>/<<<yourserver.cer>>>

Restart your docker engine.

Keim answered 16/11, 2020 at 3:18 Comment(1)

Also for docker desktop on MacOS you can put a certificate into ~/.docker/certd.d/<REGISTRY_NAME>:<PORT>/. More info - docs.docker.com/desktop/faqs/macfaqs/… – Lacework 20/9, 2023 at 13:27

For Ubuntu 20:

$ sudo update-ca-certificates --fresh
$ openssl s_client -showcerts -verify 5 -connect registry-1.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/docker.crt
$ openssl s_client -showcerts -verify 5 -connect production.cloudflare.docker.com:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/docker-com.crt
$ sudo cp ~/docker-com.crt /usr/local/share/ca-certificates/.
$ sudo cp ~/docker.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificates
$ sudo service docker restart

Occasionalism answered 15/6, 2022 at 3:35 Comment(2)

I just add that certificates must have the .crt extension – Gerigerianna 18/7, 2022 at 12:11

this did it for me! in the example there are 2 docker images, dunno why this was neccesary in the example, but it worked. my problem was that we use a private repoman behind a corporate firewall, there was no simple "go there click export" or stuff – Radiobroadcast 14/3 at 15:32

For my case, the error was on "docker login" command.

The solution I found for my ubuntu:

I downloaded the crt file via firefox (lock icon in the url adress bar) and save it : ~/mydomain:1234.crt

After that :

cp ~/mydomain:1234.crt /usr/local/share/ca-certificates/
update-ca-certificates
service docker restart

Kyrakyriako answered 16/6, 2020 at 8:42 Comment(3)

is it on the client or the server ? – Stodder 29/5, 2022 at 8:35

This worked for me too. Ubuntu : 22.04 – Incitement 3/11, 2022 at 10:44

"update-ca-certificates" and "service docker restart" worked for me. – Noncombatant 2/2, 2023 at 11:0

For anyone who is using CentOS 7, this is what worked for me:

Obtain necessary certificate (e.g. from your company)
Copy the certificate to ca-trust location:

sudo cp -p abc.crt /etc/pki/ca-trust/source

Update the certificate:

sudo update-ca-trust extract

Reload daemon and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

Moores answered 26/8, 2020 at 12:31 Comment(0)

For me I ended up doing this to get it to work:

sudo cp -p abc.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust
sudo update-ca-trust extract
sudo systemctl daemon-reload
sudo systemctl restart docker

Juvenilia answered 8/12, 2020 at 20:46 Comment(0)

Didn't see this mentioned in any of the answers. Here is the official docker documentation for setting up certs for each specific domain. This goes along with the most accepted answer. https://docs.docker.com/engine/security/certificates/

Path for:

Linux: /etc/docker/certs.d/[domain of relevent cert]/[cert].crt
Windows: C:/ProgramData/Docker/certs.d/[domain of relevent cert]/[cert].crt

If you are using WSL or WSL2 you will place the cert in the windows location.

A key problem that I encountered was that the extension of the cert is important to docker. I was not able to resolve the issue with a .cer ssl cert but was with .crt.

Cristinecristiona answered 2/12, 2021 at 15:39 Comment(0)

In my case I had the same problem inside a KIND container. Curl didn't work there.

curl https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

and the update-ca-certificate command didn't work for me. I had to append the CA certificate to the /etc/ssl/certs/ca-certificates.crt file:

cat /ca_cert.pem >>  /etc/ssl/certs/ca-certificates.crt

And then curl worked properly.

Deprecative answered 5/1, 2021 at 15:17 Comment(0)

In Windows you can just follow instruction (much easier than other approaches which I found):

Open Windows Explorer, right-click the certificate, and choose Install certificate.

Then, select the following options:

Store location: local machine

Check place all certificates in the following store

Click Browser, and select Trusted Root Certificate Authorities

Click Finish

After adding the CA certificate to Windows, restart Docker Desktop
for Windows.

Also it's important to choose correct options!

Here I found this instruction: https://docs.docker.com/registry/insecure/#windows

Sacral answered 13/11, 2022 at 13:27 Comment(0)

By default docker keeps a local Certificate store, in Centos:/etc/sysconfig/docker. In Organizations, the servers usually comes preinstalled with it's own Root Cert. So if you use cert issued by the organization, docker will not be able to find the organization's Root Cert. when it refers to its local store. So either you can remove the reference to its local store in /etc/sysconfig/docker or you can delete it's local Certificate store (Centos:/etc/docker/certs.d). Restarting docker service after you make the change will resolve this issue.

Handshake answered 25/6, 2020 at 1:14 Comment(1)

where will it be in m1 mac? – Ladawnladd 6/3, 2023 at 0:49

update ca without restart docker,and use root ca.cert, replace registry.clickpaas.tech with your domain:

sudo yum -y update ca-certificates;
sudo mkdir -p /etc/docker/certs.d/registry.clickpaas.tech/;
sudo cp /etc/ssl/certs/ca-bundle.crt /etc/docker/certs.d/registry.clickpaas.tech/;

Teleost answered 9/10, 2021 at 4:15 Comment(0)

add --tls-verify=false in command, like podman build --tls-verify=false ...

Violaviolable answered 18/8, 2023 at 4:46 Comment(2)

Thank you for your interest in contributing to the Stack Overflow community. This question already has quite a few answers—including one that has been extensively validated by the community. Are you certain your approach hasn’t been given previously? If so, it would be useful to explain how your approach is different, under what circumstances your approach might be preferred, and/or why you think the previous answers aren’t sufficient. Can you kindly edit your answer to offer an explanation? – Julenejulep 20/8, 2023 at 0:25

@JeremyCaney are you sure this comment is helpful? because his answer is helpful – Primogenitor 11/3 at 14:18

I'm running Rancher Desktop. I had to "Quit Rancher Desktop" and then restart it. This fixed my issue.

Thinnish answered 2/2 at 10:34 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

For the MacOS Docker Desktop user:

Recommended topics

Hot tags