moby: access private registry: x509: certificate signed by unknown authority
I setup docker-registry with nginx by following here.
I run ‘docker login’, get this error:
# docker login -u docker -p docker -e xx@xxx.com https://dev.registry.com
2014/10/30 11:12:08 Error response from daemon: Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
docker daemon’s output:
[debug] server.go:1181 Calling POST /auth
[info] POST /v1.15/auth
[47687bb1] +job auth()
[debug] endpoint.go:109 Error unmarshalling the _ping RegistryInfo: json: cannot unmarshal bool into Go value of type registry.RegistryInfo
[debug] endpoint.go:113 Registry version header: '0.7.1'
[debug] endpoint.go:116 RegistryInfo.Version: "0.7.1"
[debug] endpoint.go:119 Registry standalone header: 'True'
[debug] endpoint.go:127 RegistryInfo.Standalone: true
[debug] endpoint.go:109 Error unmarshalling the _ping RegistryInfo: json: cannot unmarshal bool into Go value of type registry.RegistryInfo
[debug] endpoint.go:113 Registry version header: '0.7.1'
[debug] endpoint.go:116 RegistryInfo.Version: "0.7.1"
[debug] endpoint.go:119 Registry standalone header: 'True'
[debug] endpoint.go:127 RegistryInfo.Standalone: true
Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
[47687bb1] -job auth() = ERR (1)
[error] server.go:1207 Handler for POST /auth returned error: Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
[error] server.go:110 HTTP Error: statusCode=500 Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
I checked the code. I think function Login may be need ‘tlsConfig’ https://github.com/docker/docker/blob/master/registry/auth.go#L163
just like https://github.com/docker/docker/blob/master/registry/registry.go#L49
# docker --version
Docker version 1.3.0, build c78088f
# curl --cacert ca.pem https://dev.registry.com/v1/_ping
true
# curl --cacert ca.pem -u docker:docker https://dev.registry.com/v1/users/
"OK"
# curl -u docker:docker https://dev.registry.com/v1/users/
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
About this issue
- Original URL
- State: closed
- Created 10 years ago
- Comments: 41 (3 by maintainers)
Commits related to this issue
- Adding readme and updating data-service setting to use docker registry — committed to pranav-patil/spring-kubernetes-microservices by pranav-patil 5 years ago
Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:
/usr/local/share/ca-certificates.There is still a bug here, though. The docs say to install the CA cert in
/etc/docker/certs.d/<registry>, and clearly that isn’t sufficient. In fact, after installing the certificate globally, I removed the one in/etc/docker/certs.d, restarted Docker, and it still worked.@hustcat As of Docker 1.3.1, you can do
--insecure-registry dev.registry.com:5000you can replace 5000 with whichever port your registry is listening on.I’m closing this now, but let us know in the comments if this did not solve your issue.
I am facing the same problem. The certificate validation works for the ping (and pushing/pulling), but not login.
The
--insecure-registryflag is a workaround, not a fix. The certificate validation should work if the CA certificate is loaded into/etc/docker/certs.d/<registry>, but it doesn’t.If you’ve installed the cert globally (via ca-certificates) make sure you restart docker as it won’t reload the global ssl certs. That said, mine still isn’t working, but I ran into that at work 😃
I am leaving this here b/c it took me a few minutes to figure it out, and might save someone the time. The command would be:
%> docker --insecure-registry=docker-registry.example.com:8080 login https://docker-registry.example.com:8080Thanks for getting the switch put in place for 1.3!
Has --insecure-registry gone away?
What should we use now?
Thank you grimmy, that did the trick on my end and it finally works. I did:
mario
in coreos, I had to edit /etc/docker/daemon.json
{ "insecure-registries": ["registry:8443"] }thensudo systemctl restart dockerIf you use LetsEncrypt and you don’t want to run anything without proper TLS, make sure to provide the full chain of the certificate including intermediates (ie REGISTRY_HTTP_TLS_CERTIFICATE=…/fullchain.pem) you may see green in Chrome while still getting this error from Docker.
Cheers!
To those that run into this issue and you have self signed certificates and you do not want to use the “insecure-registry” directive then you need to load your self signed certificates into
/etc/docker/certs.d/{host}/. After loading them in remember to RESTART docker daemon. To elaborate some more…If your registry is hosted at https://exampleregistry.com you should have a directory called
/etc/docker/certs.d/exampleregistry.comwith your self-signed certs inside. Now you will be able to dodocker login exampleregistry.comwith no x509 error. Now here is a caveat to all this, lets say you want to for some reason explicitly define the port in your login command like thisdocker login exampleregistry.com:443(which would make no sense, but this is just an example) then you need to ensure that your self signed certificates are inside a folder called/etc/docker/certs.d/exampleregistry.com:443/. Docker makes no assumptions about certs resolving based on hostname only when using a port. You have to actually provide certs on a per port basis by loading your self signed certs into a folder name that includes the port you are trying to access.Hopefully this saves many of you guys a lot of debugging who are using ports to connect to your docker registry.
@cjw296 For RHEL7.2, I edited the file,
/usr/lib/systemd/docker.service, and in theExecStartline added the--insecure-registry=your.docker.registry.com.Then I ran
sudo systemctl daemon-reloadto pick up the configuration change, followed bysudo systemctl restart docker. And now it works.To be honest, I’m still a systemd noob and there are probably better ways to do this more cleanly. But I struggled with this for too long, and wanted to post a workaround. Thanks to @cdub50 for leading me in the right direction.
I got the same error for docker pull command and I think the following should work. Copy the SSL certificate which is the ‘.crt’ file to the directory
sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt Let Ubuntu add the ‘.crt’ file’s path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf
sudo dpkg-reconfigure ca-certificates
I was struggling with this error until I figured I was naming the file
/etc/docker/certs.d/myregistry/ca.pem instead of/etc/docker/certs.d/myregistry/ca.crtI don’t believe it! 5 years later, still true, thanks for the solution.
Can you try following the instructions in https://docs.docker.com/v17.03/engine/security/certificates/ ? Docker 1.13 and up should also read certificates from the system defaults, otherwise;
After configuring the certificates, it may be needed to restart the daemon
For anyone who struggles with
/etc/docker/certs.dsolution, make sure your directory name under there includes the registry port. So/etc/docker/certs.d/myregistry.net:8443.Worked fine for me on Photon OS.
I cant event get it to work by setting --insecure-registry I am on docker 1.3.2 on RedHat 7
[root@ip-10-2-20-209 ec2-user]# docker --insecure-registry=qa.docker.repo login https://qa.docker.repo Username: qa Password: Email: qa@user.com 2015/01/19 14:26:40 Error response from daemon: Server Error: Post https://qa.docker.repo/v1/users/: x509: certificate signed by unknown authority
curl works fine when I use the generated ca.pem file.
curl --cacert /home/ec2-user/ca.pem -u qa:xxxxx https://qa.docker.repo/v1/users/ “OK”
I was having the same problem on Windows, until I looked at the docs, which suggests using my certificate authority in Windows Explorer (
ca.pemrenamed asca.crt) andRight-Click > Install Certificateand select Trusted Root Certificate Authorities for the current user. Restarted docker and it worked.@abdasgupta, I’ve noticed that
17.03.1~ce-0~ubuntu-xenialversion doesn’t work, but the17.06.0~ce-0~ubuntuversion works.I place a crt into
/usr/local/share/ca-certificates/my-org/my-domain.crt, then dosudo update-ca-certificatesandsudo systemctl restart docker.I didn’t wanted to use that insecure-registries… is it not possible to run without it?? moreover, certificate is same as repo’s… cz I copied from there.
This is not resolved in my case: I want to use a self-signed certificate for nexus OSS repository. But I am getting this error: Error response from daemon: Get https://<mydomain.com>:10250/v1/users/: x509: certificate signed by unknown authority
I have placed the .crt file in /etc/docker/certs.d as well as /usr/share/ca-certificates on my ubuntu 16.04 om intel machine. I ran then update-ca-certificates and restarted docker. this is my cert file nexus.cert: $ openssl x509 -in nexus.crt -text