[英]"docker pull" certificate signed by unknown authority
I was trying to pull a docker image from a docker registry but hit the following issue:我试图从 docker 注册表中提取 docker 图像,但遇到了以下问题:
$ docker pull <docker registry>/<image name>/<tag>
Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority
I tried with "curl" and get a similar error message:我尝试使用“curl”并收到类似的错误消息:
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:所以我下载了CA证书并使用以下命令导入到服务器(RedHat Linux 7):
cp root_cert.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust
After the root cert is imported, I can see curl
is working fine as it won't complain the cert error, however if I use docker pull
I still have the same issue.导入根证书后,我可以看到
curl
工作正常,因为它不会抱怨证书错误,但是如果我使用docker pull
我仍然有同样的问题。 Is docker
using different ca-cert location than curl
? docker
是否使用与curl
不同的 ca-cert 位置? How do I fix the issue with docker pull
in this situation?在这种情况下,如何解决
docker pull
的问题?
You may need to restart the docker service to get it to detect the change in OS certificates.您可能需要重新启动 docker 服务以使其检测操作系统证书的更改。
Docker does have an additional location you can use to trust individual registry server CA. Docker 确实有一个额外的位置,您可以用来信任单个注册服务器 CA。 You can place the CA cert inside
/etc/docker/certs.d/<docker registry>/ca.crt
.您可以将 CA 证书放在
/etc/docker/certs.d/<docker registry>/ca.crt
。 Include the port number if you specify that in the image tag, eg in Linux.如果您在映像标签中指定端口号,请包括端口号,例如在 Linux 中。
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
or in Windows 10:或在 Windows 10 中:
C:\ProgramData\docker\certs.d\ca.crt
first create a file - /etc/docker/daemon.json
首先创建一个文件 -
/etc/docker/daemon.json
than run the following to add certs比运行以下命令添加证书
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt
works without restart无需重启即可工作
OR或者
import the cert to system like将证书导入系统,如
save the cert to the file , like the command above (the port is crucial, no need for the protocol)将证书保存到文件中,就像上面的命令一样(端口很重要,不需要协议)
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
copy it to /usr/local/share/ca-certificates/将其复制到 /usr/local/share/ca-certificates/
sudo cp ca.crt /usr/local/share/ca-certificates/
run update-ca-certificates运行 update-ca-certificates
sudo update-ca-certificates
restart docker !重启泊坞窗!
Here is a quick solution:这是一个快速的解决方案:
example for docker.squadwars.org: docker.squadwars.org 的示例:
{
"insecure-registries" : ["docker.squadwars.org:443"]
}
systemctl restart docker
example for docker.squadwars.org: docker.squadwars.org 的示例:
mkdir -p /etc/docker/certs.d/docker.squadwars.org
ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | openssl s_client -showcerts -connect docker.squadwars.org:443) -scq > /etc/docker/certs.d/docker.squadwars.org/docker_registry.crt
Go to your repository's URL in a browser.在浏览器中转到存储库的 URL。 You may have to accept all security prompts.
您可能必须接受所有安全提示。
Click on the padlock 🔓on the address bar, then click on "Certificate" (on Chrome) or "Show Certificate" (on Safari).单击地址栏上的挂锁🔓,然后单击“证书”(在 Chrome 上)或“显示证书”(在 Safari 上)。
Click and hold down on the big paper icon of the certificate and drag it to a folder of your preference, or the desktop.单击并按住证书的大纸图标并将其拖动到您喜欢的文件夹或桌面。
Open your terminal (make sure to replace the last argument with the location of your file):打开您的终端(确保将最后一个参数替换为您文件的位置):
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ~/<<<somefolder>>>/<<<yourserver.cer>>>
Restart your docker engine.重启你的 docker 引擎。
For my case, the error was on "docker login" command.就我而言,错误出在“docker login”命令上。
The solution I found for my ubuntu:我为我的 ubuntu 找到的解决方案:
I downloaded the crt file via firefox (lock icon in the url adress bar) and save it : ~/mydomain:1234.crt我通过firefox下载了crt文件(url地址栏中的锁定图标)并保存:~/mydomain:1234.crt
After that :在那之后 :
cp ~/mydomain:1234.crt /usr/local/share/ca-certificates/
update-ca-certificates
service docker restart
for Ubuntu 20对于 Ubuntu 20
sudo update-ca-certificates --fresh
openssl s_client -showcerts -verify 5 -connect registry-1.docker.io:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/docker.crt
openssl s_client -showcerts -verify 5 -connect production.cloudflare.docker.com:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/docker-com.crt
sudo cp ~/docker-com.crt /usr/local/share/ca-certificates/.
sudo cp ~/docker.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo service docker restart
For anyone who is using CentOS 7, this is what worked for me:对于任何使用 CentOS 7 的人来说,这对我有用:
sudo cp -p abc.crt /etc/pki/ca-trust/source
sudo update-ca-trust extract
sudo systemctl daemon-reload
sudo systemctl restart docker
For me I ended up doing this to get it to work:对我来说,我最终这样做是为了让它工作:
sudo cp -p abc.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust
sudo update-ca-trust extract
sudo systemctl daemon-reload
sudo systemctl restart docker
By default docker keeps a local Certificate store, in Centos:/etc/sysconfig/docker.默认情况下,docker 在 Centos:/etc/sysconfig/docker 中保留一个本地证书存储。 In Organizations, the servers usually comes preinstalled with it's own Root Cert.
在组织中,服务器通常预装了自己的根证书。 So if you use cert issued by the organization, docker will not be able to find the organization's Root Cert.
所以如果使用组织颁发的证书,docker将无法找到组织的Root Cert。 when it refers to its local store.
当它指的是它的本地商店时。 So either you can remove the reference to its local store in /etc/sysconfig/docker or you can delete it's local Certificate store (Centos:/etc/docker/certs.d).
因此,您可以在 /etc/sysconfig/docker 中删除对其本地存储的引用,也可以删除它的本地证书存储 (Centos:/etc/docker/certs.d)。 Restarting docker service after you make the change will resolve this issue.
进行更改后重新启动 docker 服务将解决此问题。
In my case I had the same problem inside a KIND container.就我而言,我在KIND容器内遇到了同样的问题。 Curl didn't work there.
Curl 在那里不起作用。
curl https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
and the update-ca-certificate command didn't work for me.并且 update-ca-certificate 命令对我不起作用。 I had to append the CA certificate to the /etc/ssl/certs/ca-certificates.crt file:
我必须将 CA 证书附加到 /etc/ssl/certs/ca-certificates.crt 文件中:
cat /ca_cert.pem >> /etc/ssl/certs/ca-certificates.crt
And then curl worked properly.然后 curl 正常工作。
update ca without restart docker,and use root ca.cert, replace registry.clickpaas.tech with your domain:在不重启 docker 的情况下更新 ca,并使用 root ca.cert,将 registry.clickpaas.tech 替换为您的域:
sudo yum -y update ca-certificates;
sudo mkdir -p /etc/docker/certs.d/registry.clickpaas.tech/;
sudo cp /etc/ssl/certs/ca-bundle.crt /etc/docker/certs.d/registry.clickpaas.tech/;
Didn't see this mentioned in any of the answers.没有看到任何答案中提到的这一点。 Here is the official docker documentation for setting up certs for each specific domain.
这是为每个特定域设置证书的官方 docker 文档。 This goes along with the most accepted answer.
这与最被接受的答案一致。 https://docs.docker.com/engine/security/certificates/
https://docs.docker.com/engine/security/certificates/
Path for:路径:
If you are using WSL or WSL2 you will place the cert in the windows location.如果您使用 WSL 或 WSL2,您将把证书放在 windows 位置。
A key problem that I encountered was that the extension of the cert is important to docker.我遇到的一个关键问题是证书的扩展对 docker 很重要。 I was not able to resolve the issue with a .cer ssl cert but was with .crt.
我无法使用 .cer ssl 证书解决问题,但可以使用 .crt。
In Windows you can just follow instruction (much easier than other approaches which I found):在 Windows 中,您可以按照说明进行操作(比我发现的其他方法容易得多):
Open Windows Explorer, right-click the certificate, and choose Install certificate.
打开 Windows 资源管理器,右键单击证书,然后选择安装证书。
Then, select the following options:
然后,select以下选项:
- Store location: local machine
存储位置:本机
- Check place all certificates in the following store
检查将所有证书放在以下商店中
- Click Browser, and select Trusted Root Certificate Authorities
单击浏览器和 select 受信任的根证书颁发机构
- Click Finish
点击完成
After adding the CA certificate to Windows, restart Docker Desktop
Windows添加CA证书后,重启Docker桌面
for Windows.对于 Windows。
Also it's important to choose correct options!选择正确的选项也很重要!
Here I found this instruction: https://docs.docker.com/registry/insecure/#windows我在这里找到了这条指令: https://docs.docker.com/registry/insecure/#windows
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.