moby: Certificate error with "docker login"

I’m setting up a private registry with a front-end Apache server serving as an SSL/TLS and Basic Auth proxy. I have a signed certificate for the Apache server. I placed the CA certificate in /etc/docker/certs.d/<redacted>/ca.crt.

All this works fine for docker push and docker pull. I see SSL connections being made. However, docker login fails with this error in the client:

FATA[0004] Error response from daemon: Server Error: Post https://<redacted>/v1/users/: x509: certificate signed by unknown authority

And I see the following in the daemon log:

DEBU[5219] Calling POST /auth                           
INFO[5219] POST /v1.16/auth                             
INFO[5219] +job auth()                                  
DEBU[5219] hostDir: /etc/docker/certs.d/<redacted> 
DEBU[5219] crt: /etc/docker/certs.d/<redacted>:443/ca.crt 
DEBU[5219] RegistryInfo.Version: ""                     
DEBU[5219] Registry standalone header: 'True'           
DEBU[5219] RegistryInfo.Standalone: true                
DEBU[5219] hostDir: /etc/docker/certs.d/<redacted> 
DEBU[5219] crt: /etc/docker/certs.d/<redacted>/ca.crt 
DEBU[5219] RegistryInfo.Version: ""                     
DEBU[5219] Registry standalone header: 'True'           
DEBU[5219] RegistryInfo.Standalone: true                
Server Error: Post https://<redacted>/v1/users/: x509: certificate signed by unknown authority
INFO[5219] -job auth() = ERR (1)                        
ERRO[5219] Handler for POST /auth returned error: Server Error: Post https://<redacted>/v1/users/: x509: certificate signed by unknown authority 
ERRO[5219] HTTP Error: statusCode=500 Server Error: Post https://<redacted>/v1/users/: x509: certificate signed by unknown authority

I know it’s reading the CA file because if I rename it, docker pull stops working. What would cause docker pull to work fine but docker login to fail with a certificate error? Here is my version info:

Client version: 1.4.1
Client API version: 1.16
Go version (client): go1.3.3
Git commit (client): 5bc2ff8
OS/Arch (client): linux/amd64
Server version: 1.4.1
Server API version: 1.16
Go version (server): go1.3.3
Git commit (server): 5bc2ff8

About this issue

  • Original URL
  • State: open
  • Created 9 years ago
  • Comments: 45 (13 by maintainers)

Most upvoted comments

From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/

On RHEL you can add your docker registry server cert to the global CA list:

sudo cp coreos-reg.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust sudo systemctl restart docker

docker version Client version: 1.4.1-dev Client API version: 1.17 Go version (client): go1.3.1 Git commit (client): d26b358/1.4.1 OS/Arch (client): linux/amd64 Server version: 1.4.1-dev Server API version: 1.17 Go version (server): go1.3.1 Git commit (server): d26b358/1.4.1

+4
markllama on Feb 4, 2015

Installing the certificate globally works around the problem. Steps on Ubuntu/Debian:

  1. Copy CA cert to /usr/local/share/ca-certificates.
  2. sudo update-ca-certificates
  3. sudo service docker restart

Once this is done, it doesn’t matter if the cert is also loaded into /etc/docker/certs.d/<registry> or not.

+4
rhasselbaum on Jan 20, 2015

I would not promote insecure-registry as a solution though. It is a workaround.

+3
bazsi on Jun 26, 2015

@kateklemp the --insecure-registry flag needs to be set on the daemon, not the client.

For your certificate issue, are you able to curl the endpoint just fine using the ca certificate?

$ curl --cacert=/etc/docker/certs.d/<remote-reg>/ca.crt https://<remote-reg>/v1/_ping
+2
dmcgowan on May 27, 2015

Hi,

I have installed docker in windows 7 using Windows Tool Box. I getting the same error while login to IBM bluemix registry.

D:\Project\xx\source_code\xx-xx-service>docker login registry.ng.bluemix.net Username: vikash315@gmail.com Password: Error response from daemon: Get https://registry.ng.bluemix.net/v1/users/: x509: certificate signed by unknown authority

I have read above comments but didn’t find any clue to fix it in windows.

Please suggests How to fix this issue.

Thanks, Vikash

+1
vikash315 on Apr 27, 2017

Hi, the comment from “winchell commented on 31 May 2015” made my day.

I had a fresh official wildcard certificate but my artifactory with nginx in front still complaint about: v1/users/: x509: certificate signed by unknown authority

So i manually added the chain certificate at the end of the cert.crt restartet nginx and boom it worked finally.

Maybe this helps someone else

+1
lachnerd on Mar 13, 2017

@tallandtree thanks a lot ! Same thing here (corporate proxy)

curl ok docker login fail http_proxy was set no_proxy was not set

+1
ecirtap on Feb 3, 2016

For anyone who still has this problem with docker 1.9. I also had this error (x509 certificate error) and finally found the cause: We are behind a corporate http proxy, so I configured a proxy in /etc/systemd/system/docker.service.d/http-proxy.conf but forgot to add my new private registry server to the NO_PROXY list. Curl respects the local exported “no_proxy” setting, but docker needs to know this as well via the above configuration file. Error message was a tad confusing.

+1
tallandtree on Jan 4, 2016

@spencerkohan no I was just referring to the directory which was created according to the registry name. It is created according to the name given in the DOCKER_OPTS --insecure-registry URL.

Docker is not very consistent about this, e.g. for the local registry, you have to specify the port (which has to be 5000), but for a trusted (private) registry (which has to be SSL secured, god knows why…), you must not specify the port (443)…

+1
grexe on Nov 13, 2015

I’ve also encountered this issue.

  1. I am positive that I used the proper CA certificate (openssl s_client worked and reported successful validation)
  2. I’ve installed that in /etc/certs.d/<myserver>/ca.crt
  3. docker pull worked
  4. docker login didn’t

Once added into the root store, it worked like a charm. So definitely something is wrong wrt docker login in this case.

One note: when adding the cert into the root store, you need to add it to /etc/ssl/ca-certificates.crt and not just as a separate PEM file with a proper hashed symlink, docker seems to work only with the CA bundle and not the broken down CA certificate files).

Probably, if you are already logged in and your .dockercfg contains your credentials, it would work, but I guess any newcomers who wants to deploy their private registries will have a hard time figuring this out.

+1
bazsi on Jun 8, 2015

For those still having this problem having tried the above on Redhat / CentOS:

Try manually adding the chain certs to the end of /etc/pki/tls/certs/ca-bundle.crt. In my case running update-ca-trust didn’t actualy update this file. I don’t know the reason. There is some other formatting in ca-bundle.crt but don’t worry about that and append the certs as they are in PEM format.

+1
winchell on May 30, 2015

I was only able to get certificate validation working with docker login by adding the certificate to the host’s global CA trust store. Adding to /etc/docker/certs.d/... is still not working AFAIK.

@databus23 is correct, this is not the same issue as #9570.

+1
rhasselbaum on Mar 2, 2015
Read more comments on GitHub
← moby: cbfs driver causes 'hcsshim::PrepareLayer - failed failed in Win32: Incorrect function. (0x1)'
moby: cgroups: memory cgroup not supported on this system →