podman: Cannot pull from custom registry: x509: certificate signed by unknown authority

/kind bug

Description

I can podman login into our internal harbor registry (say, registry.example.local), but I cannot pull images. The registry has a certificate signed by our custom CA.

$ podman login
Username: 
Password:
$ podman pull registry.example.local/team/image:label
Trying to pull registry.example.local/team/image:label...
Error: initializing source docker://registry.example.local/team/image:label: pinging container registry registry.example.local: Get "https://registry.example.local/v2/": x509: certificate signed by unknown authority

Steps to reproduce the issue:

  1. Open browser at registry.example.local and download the CA pem certificate (I first used the one I have in my KeyChain)
  2. Install certificate as ~/.config/containers/certs.d/example-local.crt
  3. podman machine init
  4. podman machine start
  5. podman login
  6. podman pull registry.exmple.local/team/image:label

Alternatively, first ssh into the machine and then issue podman pull.

Describe the results you received:

$ podman pull registry.example.local/team/image:label
Trying to pull registry.example.local/team/image:label...
Error: initializing source docker://registry.example.local/team/image:label: pinging container registry registry.example.local: Get "https://registry.example.local/v2/": x509: certificate signed by unknown authority

Describe the results you expected:

Something like

% podman pull --tls-verify=false registry.example.local/team/image:label
Trying to pull registry.example.local/team/image:label...
Getting image source signatures
Copying blob sha256:9d2c24245c2d89f59843f45aa674a4d0f30e7a7...

but without --tls-verify=false.

Additional information you deem important (e.g. issue happens only occasionally):

I’m running macOS 12.3.1 on an M1.

The certificates should be correctly installed on machine init as per https://github.com/containers/podman/pull/12709, I verified this with

$ podman machine ssh
> ls /etc/containers/certs.d/
example-local.crt

Output of podman version:

Client:       Podman Engine
Version:      4.0.3
API Version:  4.0.3
Go Version:   go1.18
Built:        Fri Apr  1 17:28:59 2022
OS/Arch:      darwin/arm64

Server:       Podman Engine
Version:      4.0.2
API Version:  4.0.2
Go Version:   go1.16.14
Built:        Thu Mar  3 15:58:50 2022
OS/Arch:      linux/arm64

Output of podman info --debug:

host:
  arch: arm64
  buildahVersion: 1.24.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-2.fc35.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: '
  cpus: 1
  distribution:
    distribution: fedora
    variant: coreos
    version: "35"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
    uidmap:
    - container_id: 0
      host_id: 502
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
  kernel: 5.15.18-200.fc35.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 1197207552
  memTotal: 2048176128
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.4.2-1.fc35.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.2
      commit: f6fbc8f840df1a414f31a60953ae514fa497c748
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/502/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.aarch64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 9m 37.18s
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/502/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 4.0.2
  Built: 1646319530
  BuiltTime: Thu Mar  3 15:58:50 2022
  GitCommit: ""
  GoVersion: go1.16.14
  OsArch: linux/arm64
  Version: 4.0.2

Package info (e.g. output of rpm -q podman or apt list podman):

$ brew info podman

podman: stable 4.0.3 (bottled), HEAD
Tool for managing OCI containers and pods
https://podman.io/
/opt/homebrew/Cellar/podman/4.0.3 (172 files, 46.2MB) *
  Poured from bottle on 2022-04-11 at 10:04:08
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/podman.rb
License: Apache-2.0
==> Dependencies
Build: go ✔, go-md2man ✘
Required: qemu ✔
==> Options
--HEAD
        Install HEAD version
==> Caveats
zsh completions have been installed to:
  /opt/homebrew/share/zsh/site-functions

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Per README (as suggested in this template), the latest version is 4.0.0, I tested 4.0.3. The items in the troubleshooting guide do not apply.

Additional environment details (AWS, VirtualBox, physical, etc.):

macOS Monterey 12.3.1, M1

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (3 by maintainers)

Most upvoted comments

I followed the instructions in https://github.com/containers/podman/blob/main/docs/tutorials/podman-install-certificate-authority.md to install the CA certs inside the podman machine, now it is working as expected 😃

+2
eidottermihi on Dec 10, 2022

Podman Desktop is creating a Linux VM where the containers (and Podman) are actually running. Hence, the certs in your Windows Home directory won’t be read.

@benoitf, is there a best-practice in Podman Desktop to set the certs?

+2
vrothberg on Dec 2, 2022 
$ podman login --log-level=debug registry.example.local
DEBU[0015] Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.example.local

(works) vs.

$ podman machine ssh
> ls /etc/containers/certs.d/
example-local.crt

So that’s not the right location for a certificate to be found (and indeed, the remote logs don’t contain a “Looking for TLS certificates” log entry. Compare also https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md#directory-structure .

(I haven’t looked into how that incorrect destination was created, so I don’t know whether that might be user error or a bug in podman machine, or something else.)

+2
mtrmac on Apr 19, 2022
Read more comments on GitHub
← podman: Cannot play kube files (k8s.gcr.io/pause:3.5 fails)
podman: Cannot resolve mirrors.fedoraproject.org Windows machine init →