New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
access private registry: x509: certificate signed by unknown authority #8849
Comments
@hustcat As of Docker 1.3.1, you can do I'm closing this now, but let us know in the comments if this did not solve your issue. |
I am leaving this here b/c it took me a few minutes to figure it out, and might save someone the time. The command would be:
Thanks for getting the switch put in place for 1.3! |
I am facing the same problem. The certificate validation works for the ping (and pushing/pulling), but not login. The |
I cant event get it to work by setting --insecure-registry I am on docker 1.3.2 on RedHat 7 [root@ip-10-2-20-209 ec2-user]# docker --insecure-registry=qa.docker.repo login https://qa.docker.repo curl works fine when I use the generated ca.pem file. curl --cacert /home/ec2-user/ca.pem -u qa:xxxxx https://qa.docker.repo/v1/users/ |
I'm having the same issue on docker version 1.3.2 and opensuse 13.1. I even tried to statically pass --cafile cacert.pem to every curl call (since I assumed docker internally just uses curl), however, this also did not help. Any help would be much appreciated. Thanks. |
Before I found this issue, I opened #10150. They appear to be the same issue. |
I seem to be having the same issue. Archlinux client 1.4.1 and the registry running from the official docker container. Anyone have any thoughts? |
If you've installed the cert globally (via ca-certificates) make sure you restart docker as it won't reload the global ssl certs. That said, mine still isn't working, but I ran into that at work :) |
Thank you grimmy, that did the trick on my end and it finally works. I did:
mario |
Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:
There is still a bug here, though. The docs say to install the CA cert in |
+1 for reopening this, as @rhasselbaum mentioned |
Has --insecure-registry gone away?
What should we use now? |
that goes in the docker config file you can check if its set by looking at On Wed, Sep 16, 2015 at 3:01 AM, Chris Withers notifications@github.com
|
I got the same error for docker pull command and I think the following should work. sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt sudo dpkg-reconfigure ca-certificates |
if your machine state is not important, so you can run |
If you use LetsEncrypt and you don't want to run anything without proper TLS, make sure to provide the full chain of the certificate including intermediates (ie REGISTRY_HTTP_TLS_CERTIFICATE=.../fullchain.pem) you may see green in Chrome while still getting this error from Docker. Cheers! |
On Ubuntu. If you experience error:
On the Docker registry the certificate had to be compiled with the subjectAltName as described here: Here is the code for convenience: Note, I was able to check the subject alternative name is present in the certificate using the following command: However, on Ubuntu 14 client (i.e. Docker Engine) For people using Ubuntu 14. in there, you need to specify the docker options: Then restart the daemon (add sudo if you user is not allowed to start a docker service): The value does not need to be a domain name, it simply has to match what you certificate is registered with; I have an IP address with a port and this works... (i.e. e.g. 100.100.100.100:100) All this took me a day, so, I am posting this hoping that it will be useful to other people... |
@JazzDeben Thanks for your remarks ! very useful ! i am not sure how to do it with a Let's Encript certbot generated certificate.
Chrome complains about
|
@cjw296 For RHEL7.2, I edited the file,
Then I ran To be honest, I'm still a systemd noob and there are probably better ways to do this more cleanly. But I struggled with this for too long, and wanted to post a workaround. Thanks to @cdub50 for leading me in the right direction. |
@david-drinn For Fedora 25, I did something similar, but since the docker daemon config (in
|
If curl is working and docker not, you can: |
To those that run into this issue and you have self signed certificates and you do not want to use the "insecure-registry" directive then you need to load your self signed certificates into If your registry is hosted at https://exampleregistry.com you should have a directory called Hopefully this saves many of you guys a lot of debugging who are using ports to connect to your docker registry. |
This is not resolved in my case: I have placed the .crt file in /etc/docker/certs.d as well as /usr/share/ca-certificates on my ubuntu 16.04 om intel machine. I ran then update-ca-certificates and restarted docker. this is my cert file nexus.cert:
|
@abdasgupta : can you "curl" your repo ? |
I didn't wanted to use that insecure-registries.. is it not possible to run without it?? moreover, certificate is same as repo's.. cz I copied from there. |
I guess you can run without insecure-registries. Can you reach your repo with a “curl” command ?
Best regards.
De : Abhishek Dasgupta [mailto:notifications@github.com]
Envoyé : mardi 18 juillet 2017 18:30
À : moby/moby
Cc : Frédéric Castelain; Comment
Objet : Re: [moby/moby] access private registry: x509: certificate signed by unknown authority (#8849)
I didn't wanted to use that insecure-registries.. is it not possible to run without it?? moreover, certificate is same as repo's.. cz I copied from there.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#8849 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ANgcLAxGE34n7fSByG0svUJry3vtTAR7ks5sPN2JgaJpZM4C0usv>.
NOTICE: This e-mail (including any attachments) may contain information that is private, confidential or legally privileged information or material and is intended solely for the use of the addressee(s). If you receive this e-mail in error, please delete it from your system without copying it and immediately notify the sender(s) by reply e-mail. Any unauthorized use or disclosure of this message is strictly prohibited. STEF does not guarantee the integrity of this transmission and may therefore never be liable if the message is altered or falsified nor for any virus, interception or damage to your system.
AVIS : Ce message (y compris toutes pièces jointes) peut contenir des informations privées, confidentielles et est pour l'usage du(es) seul(s) destinataire(s). Si vous avez reçu ce message par erreur, merci d'en avertir l'expéditeur par retour d'email immédiatement et de procéder à la destruction de l'ensemble des éléments reçus, dont vous ne devez garder aucune copie. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le(les) destinataire(s) désigné(s) est interdite. STEF ne garantit pas l'intégrité de cette transmission et ne saurait être tenu responsable du message, de son contenu, de toute modification ou falsification, d’une interception ou de dégâts à votre système.
|
@abdasgupta, I've noticed that I place a crt into |
Can you try following the instructions in https://docs.docker.com/v17.03/engine/security/certificates/ ? Docker 1.13 and up should also read certificates from the system defaults, otherwise;
After configuring the certificates, it may be needed to restart the daemon |
For anyone who struggles with Worked fine for me on Photon OS. |
I was struggling with this error until I figured I was naming the file |
I was having the same problem on Windows, until I looked at the docs, which suggests using my certificate authority in Windows Explorer ( |
in coreos, I had to edit |
Hint: If you reach your private repo through a proxy you can experience same error message, disable proxy or configure an exception (NO_PROXY perhaps) for the private registry host. |
I am running docker-registry as a Kubernetes POD on Rancher. I have configured a L7 Ingress and the SSL certificate is located there. when I access from Web browser I have no problem SSL fine, and login credentials works fine. but if I run docker login command I get the x509: certificate signed by unknown authority, which I believe is trying to get the default ingress backend with the fake SSL Self-signed certificate. I am restarting docker on my computer to see if that helps. It used to work.... I made a small change on my ingress to support a new SSL cert for two hostname |
Hi Bro.. This issue same as with my problem. oc import-image nexus-coba:3.5 --from=192.168.250.250:8083/node-nexus --confirm --insecure |
Such a big thank you ! I was doing exactly what you were describing, pulling my hair from the official documentation being wrong... :) |
I don't believe it! 5 years later, still true, thanks for the solution.
|
Is it means that I must install certificate in the registry docker image also in the nginx? |
Docker-Desktop Icon -> Preferences -> Daemon -> "Insecure registries", click + icon Refer https://forums.docker.com/t/docker-private-registry-x509-certificate-signed-by-unknown-authority/21262/6 for more info. |
On macOS 10.15 and docker version 20.10.5 the issue is still present. I attempted everything that I could find both here and elsewhere to no avail. |
ok thanks. |
I setup docker-registry with nginx by following here.
I run 'docker login', get this error:
# docker login -u docker -p docker -e xx@xxx.com https://dev.registry.com 2014/10/30 11:12:08 Error response from daemon: Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
docker daemon's output:
I checked the code. I think function Login may be need 'tlsConfig'
https://github.com/docker/docker/blob/master/registry/auth.go#L163
just like
https://github.com/docker/docker/blob/master/registry/registry.go#L49
# docker --version Docker version 1.3.0, build c78088f
The text was updated successfully, but these errors were encountered: