Description of problem:

I'm trying to pull ubuntu from the public registry with this command :

docker pull ubuntu

And then i got this results (the previous command was working yesterday) :

"Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate has expired or is not yet valid"

docker version :

Client:
Version: 1.10.0
API version: 1.22
Go version: go1.5.3
Git commit: 590d510
Built: Thu Feb 4 18:36:33 2016
OS/Arch: linux/amd64

Server:
Version: 1.10.0
API version: 1.22
Go version: go1.5.3
Git commit: 590d510
Built: Thu Feb 4 18:36:33 2016
OS/Arch: linux/amd64

docker info :

Containers: 4
Running: 0
Paused: 0
Stopped: 4
Images: 20
Server Version: 1.10.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 44
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Plugins: 
Volume: local
Network: bridge null host
Kernel Version: 3.19.0-49-generic
Operating System: Ubuntu 14.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 5.815 GiB
Name: ubuntu
ID: Y6OO:23T2:BAPU:DVQJ:HJCJ:USEP:T6EU:PMG4:O4M6:46C7:JKPC:BQHT
WARNING: No swap limit support

uname -a :

Linux ubuntu 3.19.0-49-generic #55~14.04.1-Ubuntu SMP Fri Jan 22 11:24:31 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

I verify my "date" and everything is good. I don't know where this issue can come from.

this one did it for me docker-machine regenerate-certs --client-certs

This can also apparently happen with time drift, which is a problem with Docker Desktop for Windows. The clock on the Linux VM that s running the Docker daemon does not, by default, sync time with your main Windows host. If, like me, you work on a laptop, and your laptop is asleep for long periods of time without you rebooting or otherwise restarting Docker, it would seem your Linux VM's clock can drift enough that you can get this error. Restarting Docker clears it up, however.

I recognize the OP is probably no longer in need of an answer and it was not necessarily the OPs issue (no indication if they were using Windows), but since I got here through my own research into this problem, I figured I'd add the answer.

if this happened with Docker on Windows

Just Restart Docker Desktop

I got this error, it was related to system date/time settings. (I realize the OP stated his date was OK, just adding this comment for other people who might arrive at this page where this is the issue - like I did!!)

Had an issue when I booted up my machine and the time/date settings were incorrect. Later, after my machine had the correct date/time settings, I tried to pull an image from docker and got the above error.

I restarted the docker daemon running locally, so it picked up the new date/time and can now pull successfully again.

You can either use --insecure-registry option while starting docker deamon or need to provide valid certificate path. Look here for details.

In my case I have decided to change the date and time of the server to the current date.

In a dev environment you could avoid this error modify the file daemon.json alocate at /etc/docker/daemon.json add a insecure registry at the list and restart the docker engine

{
  "insecure-registries" : [ "myinsecureregistry.com:443", "myinsecureregistry.com", "x.x.x.x:5000" ]
}

Ref: daemon configuration

This happened also to me:

• while trying to login to an Artifactory.
• when my local docker daemon has been running for a couple weeks.

I simply restarted my local docker daemon, and could login to the Artifactory with no error message.

I had the similar issue on centos vagrant vm machine. When I were pulling any docker image, the bellow error were poping up

   error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/4b/4bb46517cac397bdb0bab6eba09b0e1f8e90ddd17cf99662997c3253531136f8/data?verify=1597376104-j8KSa2vKDeIZNFuPq0EP9cb3sqc%3D: x509: certificate has expired or is not yet valid

The problem was the centos vagrant vm machine date and timezone were different from my host machine. After updating my vm machine to the same date and timezone with my host, the issue were fixed.

   #check the timezone
   $timedatectl
   #update timezone
   $timedatectl set-timezone America/Toronto
   #update date
   date --set="Fri August 14 3:08:10 EDT 2020"

In my case I was attempting to create a container in QNAP using Container Station, an SSL certificate error occurred while pulling a Docker image. The error message was something like this:

Background task error for create:Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/19/.... error pulling image configuration: x509: certificate has expired or is not yet valid

This indicated that the SSL certificate used for secure communication with the Docker registry had expired or was not valid, whatever the reason I updated the installed certificates in my system. For Debian users update-ca-certificates could solve the problem, not my case that I'm using a more custom system as QNAP, so I had to update it manually. So I did this:

1. Download the SSL Certificate: The openssl command was used to extract and save the SSL certificate from the complaining domain, in my case was production.cloudflare.docker.com:

echo | openssl s_client -servername production.cloudflare.docker.com -connect production.cloudflare.docker.com:443 2>/dev/null | openssl x509 -text > my_certificate.crt

2. Add the Certificate to the Appropriate File: The certificate file was saved as my_certificate.crt. It was appended to the main certificate file using the following command:

cat my_certificate.crt >> /share/CACHEDEV1_DATA/.qpkg/container-station/etc/ssl/certs/ca-certificates.crt

Just to note there is a symbolik link in /etc/ssl/certs/ca-certificates.crt to /share/CACHEDEV1_DATA/.qpkg/container-station/etc/ssl/certs/ca-certificates.crt. Maybe you want to backup this file.

3. Restart the Affected Services: Container Station was restarted to apply the changes. This can be done through the QNAP GUI or via command line:

   /etc/init.d/container-station.sh restart

For anyone using Podman, a system reboot helped. Maybe restarting the podman machine could help as well.

Had the same issue with my private docker registry on a QNAP server.

Apparently there is a bug with Container Station 3 as it does not renew the server certificates when you click on 'Renew' from Container station.

SSH into your NAS, clear all .pem files from /etc/docker/tls, then restart Container Station with

/share/CACHEDEV1_DATA/.qpkg/container-station/container-station.sh restart

Copy the newly generated ca.pem, cert.pem and key.pem files from etc/docker/tls to your ~/.docker folder and it should be working again.

If you are using private registry on multi-node docker/kubernetes environment you need to do following on all of your nodes.

openssl req -x509 -out yourdomain.com.crt -keyout yourdomain.com.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=yourdomain.com' -extensions EXT -config <( \
printf "[dn]\nCN=yourdomain.com\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:yourdomain.com\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

do this on all nodes

docker stop registry

mkdir -p /etc/certs/

cp -r yourdomain.com.key yourdomain.com.crt /etc/certs/

mkdir -p /etc/docker/certs.d/yourdomain.com:5000/

cp -r /etc/certs/yourdomain.com.crt /etc/docker/certs.d/yourdomain.com:5000/ca.crt

docker start registry

OR

docker run -d -p 5000:5000 --restart=always --name registry -v /etc/certs:/etc/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/certs/yourdomain.com.crt -e REGISTRY_HTTP_TLS_KEY=/etc/certs/yourdomain.com.key registry

Check if your docker registry is running or not. if no registry is runnign try docker run -d -p 5000:5000 --name registry registry:2

If the other recommendations don't get you anywhere, make sure that you aren't using a reverse proxy (like Apache) AND Jetty.

If you are using both, its quite likely there is a *.jks that has not been updated with the most up to date certificate.

Whenever you face below problem please set your date and time correct:

"Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate has expired or is not yet valid"

use below command for linux system to set the date and time

sudo date --set='Mon Jan 13 14:50:44 IST 2020' "Note"=> if you are from different time zone please set as CST,EST,EDT etc.

On Windows, with WSL2 backend? You can open a new WSL2 command prompt and use:

sudo hwclock -s

I had a similar issue in Centos7.

Error:

-bash-4.2$ docker pull docker.elastic.co/elasticsearch/elasticsearch:7.10.1
Error response from daemon: Get https://docker.elastic.co/v2/: x509: certificate has expired or is not yet valid

Solution:

As suggested by others, checked the date of the system, it was ok. Docker pulled all the other repos - all were working as well.

The below steps resolved the issue:

1. Reset the list of trusted CA certificates by following the steps listed here.
2. Restart the docker using sudo systemctl docker restart.

Docker pull should be working as expected.

-bash-4.2$ docker pull docker.elastic.co/elasticsearch/elasticsearch:7.10.2
7.10.2: Pulling from elasticsearch/elasticsearch

in my case i had to add

registry_nginx['ssl_certificate'] = "/path/to/certificate.pem"
registry_nginx['ssl_certificate_key'] = "/path/to/certificate.key"

to my /etc/gitlab/gitlab.rb , because I was using certbot for ssl certification of my gitlab.example.com domain. I used the same fullchain.pem and privkey.pem for my registry and the error gone.

If this happened with Docker on Windows: Try to restart Windows, it will help to fix timezone issues.

Try update your operating system. Sometimes some cert chains are also updated with. It have solved in my case.

You need to check with network configuration.If you assign single network interface you will get this issue.In network setting check NIC's are enable both public and private.