Docker Private Registry: x509: certificate signed by unknown authority
Question
I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.
The error I'm getting is:
x509: certificate signed by unknown authority
According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:
EBU[0015] Calling POST /v1.24/images/create?fromImage=docker.squadwars.org%2Froster&tag=latest DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] Trying to pull docker.squadwars.org/roster from https://docker.squadwars.org v2 WARN[0015] Error getting v2 registry: Get https://docker.squadwars.org/v2/ : x509: certificate signed by unknown authority ERRO[0015] Attempting next endpoint for pull after error: Get https://docker.squadwars.org/v2/ : x509: certificate signed by unkn own authority
I also tried renaming the cert file from mydomain.org to simply 'ca.crt', which the debug log again shows it seeing, but it didn't have any effect.
I am able to use curl like so:
curl --key client.key --cert client.cert https://docker.squadwars.org/
I can also add the --cacert option to curl, either way works.
The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions :
(Which is probably why I don't need -cacert with curl, although I'm confused because I've since removed the certificate but curl still works)
This is driving me nuts, any help would be greatly appreciated!
Edit: I forgot to add that initially I had the FQDN of the certificate wrong, but it is now 'docker.squadwars.org'
3 answers
solution1
2 2016-08-27 07:40:30
I got it working by creating my own certificate authority first as outlined here:
How to create a self-signed certificate with openssl?
And here:
How do you sign Certificate Signing Request with your Certification Authority?
I'd like to be able to give a better answer but I was following the instructions here:
https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
And it wasn't working for me. Except for the part about signing the client key. That worked.
solution2
0 2020-12-11 07:49:36
I could solve this error in two different ways
a) Add the OS DTR Certificate to your TLS Store (recommended).
b) allowing insecure registry in docker, when using it with Ubuntu, just add a file named /etc/docker/daemon.json with content:
{
"insecure-registries" : ["https://docker.squadwars.org/"]
}
solution3
0 2021-07-11 07:07:40
in my case any of the suggested ways here didnt work.
eventually i found out that i had a security client installed that acted like a "Man in the middle" and re-signed all traffic with its own certificates.
in order to solve it i had to download its certificate and install it inside the container:
Docker go image - cannot go get - x509: certificate signed by unknown authority
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.