Moby: access private registry: x509: certificate signed by unknown authority

@hustcat As of Docker 1.3.1, you can do --insecure-registry dev.registry.com:5000 you can replace 5000 with whichever port your registry is listening on.

I'm closing this now, but let us know in the comments if this did not solve your issue.

I am leaving this here b/c it took me a few minutes to figure it out, and might save someone the time. The command would be:

%> docker --insecure-registry=docker-registry.example.com:8080 login https://docker-registry.example.com:8080

Thanks for getting the switch put in place for 1.3!

I am facing the same problem. The certificate validation works for the ping (and pushing/pulling), but not login.

The --insecure-registry flag is a workaround, not a fix. The certificate validation should work if the CA certificate is loaded into /etc/docker/certs.d/<registry>, but it doesn't.

I cant event get it to work by setting --insecure-registry I am on docker 1.3.2 on RedHat 7

[root@ip-10-2-20-209 ec2-user]# docker --insecure-registry=qa.docker.repo login https://qa.docker.repo
Username: qa
Password:
Email: [email protected]
2015/01/19 14:26:40 Error response from daemon: Server Error: Post https://qa.docker.repo/v1/users/: x509: certificate signed by unknown authority

curl works fine when I use the generated ca.pem file.

curl --cacert /home/ec2-user/ca.pem -u qa:xxxxx https://qa.docker.repo/v1/users/
"OK"

I'm having the same issue on docker version 1.3.2 and opensuse 13.1. I even tried to statically pass --cafile cacert.pem to every curl call (since I assumed docker internally just uses curl), however, this also did not help.

Any help would be much appreciated.

Thanks.
Mario

Before I found this issue, I opened #10150. They appear to be the same issue.

I seem to be having the same issue. Archlinux client 1.4.1 and the registry running from the official docker container. Anyone have any thoughts?

If you've installed the cert globally (via ca-certificates) make sure you restart docker as it won't reload the global ssl certs. That said, mine still isn't working, but I ran into that at work :)

Thank you grimmy, that did the trick on my end and it finally works. I did:

1. Get cacert.pem from http://curl.haxx.se/docs/caextract.html
2. Copy the cacert.pem file to /etc/pki/trust/anchors/
3. sudo update-ca-certificates
4. sudo systemctl docker stop
5. sudo systemctl docker start

mario

Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:

1. Copy CA cert to /usr/local/share/ca-certificates.
2. sudo update-ca-certificates
3. sudo service docker restart

There is still a bug here, though. The docs say to install the CA cert in /etc/docker/certs.d/<registry>, and clearly that isn't sufficient. In fact, after installing the certificate globally, I removed the one in /etc/docker/certs.d, restarted Docker, and it still worked.

+1 for reopening this, as @rhasselbaum mentioned

Has --insecure-registry gone away?

$ docker --version
Docker version 1.8.2, build 0a8c2e3

$ docker --insecure-registry
flag provided but not defined: --insecure-registry
See 'docker --help'.

What should we use now?

that goes in the docker config file you can check if its set by looking at
the docker process you should see the --insecure-registry flag

On Wed, Sep 16, 2015 at 3:01 AM, Chris Withers [email protected]
wrote:

Has --insecure-registry gone away?

$ docker --version
Docker version 1.8.2, build 0a8c2e3

$ docker --insecure-registry
flag provided but not defined: --insecure-registry
See 'docker --help'.

What should we use now?

—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/issues/8849#issuecomment-140693481.

I got the same error for docker pull command and I think the following should work.
Copy the SSL certificate which is the '.crt' file to the directory

sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
Let Ubuntu add the '.crt' file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf

sudo dpkg-reconfigure ca-certificates

if your machine state is not important, so you can run docker-machine rm <machine-name> and create another one ;)

If you use LetsEncrypt and you don't want to run anything without proper TLS, make sure to provide the full chain of the certificate including intermediates (ie REGISTRY_HTTP_TLS_CERTIFICATE=.../fullchain.pem) you may see green in Chrome while still getting this error from Docker.

Cheers!

On Ubuntu. If you experience error:

• x509: cannot validate certificate for [IP address or domain name] because it doesn't contain any IP SANs

On the Docker registry the certificate had to be compiled with the subjectAltName as described here:
https://docs.docker.com/engine/security/https/

Here is the code for convenience:
$ echo subjectAltName = IP:10.10.10.20,IP:127.0.0.1 > extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

Note, I was able to check the subject alternative name is present in the certificate using the following command:
openssl x509 -in certificate.crt -text -noout

However, on Ubuntu 14 client (i.e. Docker Engine)
This error was followed suit by
x509: certificate signed by unknown authority

For people using Ubuntu 14.
The config file that is used for the Docker engine (that I want to use to connect to the Docker Registry):
/etc/default/docker

in there, you need to specify the docker options:
DOCKER_OPTS="--insecure-registry myinsecure.com:5000"

Then restart the daemon (add sudo if you user is not allowed to start a docker service):
$ [sudo] service docker restart

The value does not need to be a domain name, it simply has to match what you certificate is registered with; I have an IP address with a port and this works... (i.e. e.g. 100.100.100.100:100)

All this took me a day, so, I am posting this hoping that it will be useful to other people...

@JazzDeben Thanks for your remarks ! very useful ! i am not sure how to do it with a Let's Encript certbot generated certificate.
i get this error in the registry server

tls: client didn't provide a certificate

Chrome complains about ERR_BAD_SSL_CLIENT_AUTH_CERT
if i include

  tls:
...
    clientcas:
      - /path/to/ca.pem

@cjw296 For RHEL7.2, I edited the file, /usr/lib/systemd/docker.service, and in the ExecStart line added the --insecure-registry=your.docker.registry.com.

< ExecStart=/usr/bin/dockerd
---
> ExecStart=/usr/bin/dockerd --insecure-registry=your.docker.registry.com

Then I ran sudo systemctl daemon-reload to pick up the configuration change, followed by sudo systemctl restart docker. And now it works.

To be honest, I'm still a systemd noob and there are probably better ways to do this more cleanly. But I struggled with this for too long, and wanted to post a workaround. Thanks to @cdub50 for leading me in the right direction.

@david-drinn For Fedora 25, I did something similar, but since the docker daemon config (in /usr/lib/systemd/system/docker.service) sources setup from configuration files, I made the change in /etc/sysconfig/docker:

< # INSECURE_REGISTRY='--insecure-registry='
---
> INSECURE_REGISTRY='--insecure-registry=your.docker.registry.com'

If curl is working and docker not, you can:
o create the "/etc/docker/certs.d//..." directory & files (valid for private registries only ?)
o add a "tlscert" entry in your "/etc/docker/daemon.json" file, so that dockerd uses the same certificates as curl does.

To those that run into this issue and you have self signed certificates and you do not want to use the "insecure-registry" directive then you need to load your self signed certificates into /etc/docker/certs.d/{host}/. After loading them in remember to RESTART docker daemon. To elaborate some more.....

If your registry is hosted at https://exampleregistry.com you should have a directory called /etc/docker/certs.d/exampleregistry.com with your self-signed certs inside. Now you will be able to do docker login exampleregistry.com with no x509 error.
Now here is a caveat to all this, lets say you want to for some reason explicitly define the port in your login command like this docker login exampleregistry.com:443(which would make no sense, but this is just an example) then you need to ensure that your self signed certificates are inside a folder called /etc/docker/certs.d/exampleregistry.com:443/. Docker makes no assumptions about certs resolving based on hostname only when using a port. You have to actually provide certs on a per port basis by loading your self signed certs into a folder name that includes the port you are trying to access.

Hopefully this saves many of you guys a lot of debugging who are using ports to connect to your docker registry.

This is not resolved in my case:
I want to use a self-signed certificate for nexus OSS repository. But I am getting this error: Error response from daemon: Get https://:10250/v1/users/: x509: certificate signed by unknown authority

I have placed the .crt file in /etc/docker/certs.d as well as /usr/share/ca-certificates on my ubuntu 16.04 om intel machine. I ran then update-ca-certificates and restarted docker. this is my cert file nexus.cert:
$ openssl x509 -in nexus.crt -text

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IN, ST=State, L=City, O=XYZ, OU=x, CN=<mydomain.com>
        Validity
            Not Before: Jul 17 20:28:26 2017 GMT
            Not After : Jul 17 20:28:26 2018 GMT
        Subject: C=IN, ST=State, L=City, O=XYZ, OU=x, CN=<mydomain.com>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b8:2c:97:c2:e4:bf:7a:e1:49:22:9b:a2:90:7a:
                    3a:de:3d:d3:f5:e9:c9:8b:9b:c8:13:37:4b:36:32:
                    4f:a7:0d:b9:53:4c:f4:10:fa:e7:d2:64:a5:e9:0a:
                    32:49:c3:aa:f8:2c:27:82:94:85:c3:11:07:a7:d0:
                    6c:0a:4a:45:66:94:cb:d3:27:28:cd:58:43:5b:f9:
                    e1:66:97:52:81:be:03:53:d5:e1:84:0c:4f:89:fd:
                    78:6d:8f:88:cf:29:af:6d:14:2e:2e:dc:d4:f3:87:
                    1c:73:5e:35:cb:d2:95:58:20:55:c0:f5:89:e1:40:
                    64:16:cd:25:a8:bd:6b:6a:9c:21:b0:97:d2:67:63:
                    5c:3c:4a:2c:21:1a:72:3a:68:c6:a0:e2:ea:4d:f8:
                    db:bd:02:81:93:db:60:51:ad:6e:bf:d7:7d:45:43:
                    95:e1:a5:d7:de:36:76:7c:a4:d7:4a:7f:b2:b1:98:
                    75:7d:27:2c:1d:ad:03:1b:5f:8a:ac:12:5e:76:9c:
                    2a:f7:03:b0:51:6c:23:a4:df:08:1f:02:0c:42:b6:
                    ff:7f:33:16:b0:86:fc:92:e7:db:7a:3b:a2:70:30:
                    f4:79:fa:f1:0f:75:0f:32:69:79:97:73:f4:de:11:
                    3e:bf:f8:63:49:21:dc:02:c6:ef:de:91:74:03:6d:
                    21:56:2e:c6:04:d1:02:30:73:6e:52:c7:93:07:6c:
                    f9:98:ff:1c:cc:dd:da:c7:45:2e:7b:ab:04:33:fe:
                    39:6c:5d:d5:dd:46:ae:25:d6:fd:9d:01:ae:8a:e8:
                    14:18:cc:6e:64:e4:11:8a:ce:3d:30:56:6d:0c:a7:
                    83:90:6c:f5:14:36:16:39:cc:10:7a:db:35:f6:9c:
                    68:da:84:f6:9c:07:d0:3e:b7:52:54:03:75:9a:ae:
                    eb:79:b5:5f:cb:10:cf:25:08:ae:f7:b3:13:79:f4:
                    4a:98:72:08:e3:23:e2:22:a1:31:47:41:ec:a4:76:
                    42:db:1c:46:31:3c:a2:14:14:94:bf:4f:1e:1f:85:
                    a0:9c:4c:3d:af:92:7a:90:d1:ad:23:f0:ea:3e:7d:
                    b4:21:79:f9:82:3a:16:04:42:60:b8:5d:15:1c:48:
                    9b:1e:b5:9b:0d:1f:aa:56:aa:a2:1a:a5:6f:ef:ab:
                    2a:22:6d:05:19:c0:2b:dc:46:c4:c2:4a:f8:89:25:
                    fc:dc:e6:ab:7b:8a:76:de:47:a3:e2:00:0e:d7:e8:
                    bd:86:86:d3:8d:6b:56:63:bf:40:1e:31:d7:74:fe:
                    63:fc:7e:e2:9f:21:31:1d:39:2a:44:a5:56:fd:dd:
                    66:5e:c2:4f:94:c7:ee:26:89:1a:d1:6b:13:00:f6:
                    4f:72:9b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         25:26:77:55:50:0a:66:39:5f:79:c7:5e:af:5f:54:e2:92:6f:
         62:e5:90:3a:0f:de:9b:7a:02:df:66:47:c5:71:61:91:c4:74:
         ba:0e:55:34:47:0b:72:c5:f5:27:5d:d0:d6:06:a9:f7:5c:d5:
         41:30:4c:0f:0b:3a:3c:64:13:a0:28:9b:10:92:0e:c8:eb:e8:
         0f:00:ba:54:9d:d4:7a:8c:cd:f7:91:a9:55:69:0f:9b:12:77:
         e9:f2:28:c8:cb:07:d4:ab:a4:eb:b2:3d:ae:b4:6d:7a:15:85:
         cb:07:f6:e3:6b:58:1c:26:0a:ad:d5:e6:7c:b7:e7:19:6c:d1:
         31:80:5e:cb:17:85:88:a2:6c:fc:fe:3c:28:1f:f9:87:a6:0f:
         f6:85:d2:c0:76:25:fb:52:2f:8a:99:0c:88:4e:bd:84:6b:da:
         81:b4:41:f1:bf:1c:e7:7d:93:a5:e2:d7:66:8a:63:bf:9c:c4:
         ad:ea:cb:c4:c6:7d:1f:95:35:87:60:8b:e8:23:e8:4e:36:43:
         5e:86:de:c4:35:e0:29:7a:93:90:a4:9b:c3:d1:8e:13:55:9f:
         ea:ab:52:0a:a8:a0:54:cf:f4:5e:ff:12:40:09:43:3c:e7:55:
         e7:c1:de:62:ce:21:39:f5:d3:51:7a:92:f2:b2:3c:75:8c:1f:
         bd:aa:13:63
-----BEGIN CERTIFICATE-----
MIIEPDCCAyQCAQEwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UEBhMCSU4xEjAQBgNV
BAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNJQk0x
DDAKBgNVBAsTA2x0YzERMA8GA1UEAxMIbHRjeC5jb20wHhcNMTcwNzE3MjAyODI2
WhcNMTgwNzE3MjAyODI2WjBkMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDDAKBgNVBAoMA0lCTTEMMAoGA1UECwwD
bHRjMREwDwYDVQQDDAhsdGN4LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBALgsl8Lkv3rhSSKbopB6Ot490/XpyYubyBM3SzYyT6cNuVNM9BD659Jk
pekKMknDqvgsJ4KUhcMRB6fQbApKRWaUy9MnKM1YQ1v54WaXUoG+A1PV4YQMT4n9
eG2PiM8pr20ULi7c1POHHHNeNcvSlVggVcD1ieFAZBbNJai9a2qcIbCX0mdjXDxK
LCEacjpoxqDi6k34270CgZPbYFGtbr/XfUVDleGl1942dnyk10p/srGYdX0nLB2t
AxtfiqwSXnacKvcDsFFsI6TfCB8CDEK2/38zFrCG/JLn23o7onAw9Hn68Q91DzJp
eZdz9N4RPr/4Y0kh3ALG796RdANtIVYuxgTRAjBzblLHkwds+Zj/HMzd2sdFLnur
BDP+OWxd1d1GriXW/Z0BroroFBjMbmTkEYrOPTBWbQyng5Bs9RQ2FjnMEHrbNfac
aNqE9pwH0D63UlQDdZqu63m1X8sQzyUIrvezE3n0SphyCOMj4iKhMUdB7KR2Qtsc
RjE8ohQUlL9PHh+FoJxMPa+SepDRrSPw6j59tCF5+YI6FgRCYLhdFRxImx61mw0f
qlaqohqlb++rKiJtBRnAK9xGxMJK+Ikl/Nzmq3uKdt5Ho+IADtfovYaG041rVmO/
QB4x13T+Y/x+4p8hMR05KkSlVv3dZl7CT5TH7iaJGtFrEwD2T3KbAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBACUmd1VQCmY5X3nHXq9fVOKSb2LlkDoP3pt6At9mR8Vx
YZHEdLoOVTRHC3LF9Sdd0NYGqfdc1UEwTA8LOjxkE6AomxCSDsjr6A8AulSd1HqM
zfeRqVVpD5sSd+nyKMjLB9SrpOuyPa60bXoVhcsH9uNrWBwmCq3V5ny35xls0TGA
XssXhYiibPz+PCgf+YemD/aF0sB2JftSL4qZDIhOvYRr2oG0QfG/HOd9k6Xi12aK
Y7+cxK3qy8TGfR+VNYdgi+gj6E42Q16G3sQ14Cl6k5Ckm8PRjhNVn+qrUgqooFTP
9F7/EkAJQzznVefB3mLOITn101F6kvKyPHWMH72qE2M=
-----END CERTIFICATE-----

@abdasgupta : can you "curl" your repo ?
If so, check which certificates' file curl is using, and edit your daemon.json file in order to use that same file.
In my case, it was :
[root@localhost ]# cat /etc/docker/daemon.json
{ "insecure-registries":["registry-1.docker.io/v2:5000"],
"debug":true,
"tlscert": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" <<<<======
}

I didn't wanted to use that insecure-registries.. is it not possible to run without it?? moreover, certificate is same as repo's.. cz I copied from there.

I guess you can run without insecure-registries. Can you reach your repo with a “curl” command ?
Best regards.

De : Abhishek Dasgupta [mailto:[email protected]]
Envoyé : mardi 18 juillet 2017 18:30
À : moby/moby
Cc : Frédéric Castelain; Comment
Objet : Re: [moby/moby] access private registry: x509: certificate signed by unknown authority (#8849)

I didn't wanted to use that insecure-registries.. is it not possible to run without it?? moreover, certificate is same as repo's.. cz I copied from there.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/moby/moby/issues/8849#issuecomment-316120117, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ANgcLAxGE34n7fSByG0svUJry3vtTAR7ks5sPN2JgaJpZM4C0usv.

NOTICE: This e-mail (including any attachments) may contain information that is private, confidential or legally privileged information or material and is intended solely for the use of the addressee(s). If you receive this e-mail in error, please delete it from your system without copying it and immediately notify the sender(s) by reply e-mail. Any unauthorized use or disclosure of this message is strictly prohibited. STEF does not guarantee the integrity of this transmission and may therefore never be liable if the message is altered or falsified nor for any virus, interception or damage to your system.

AVIS : Ce message (y compris toutes pièces jointes) peut contenir des informations privées, confidentielles et est pour l'usage du(es) seul(s) destinataire(s). Si vous avez reçu ce message par erreur, merci d'en avertir l'expéditeur par retour d'email immédiatement et de procéder à la destruction de l'ensemble des éléments reçus, dont vous ne devez garder aucune copie. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le(les) destinataire(s) désigné(s) est interdite. STEF ne garantit pas l'intégrité de cette transmission et ne saurait être tenu responsable du message, de son contenu, de toute modification ou falsification, d’une interception ou de dégâts à votre système.

@abdasgupta, I've noticed that 17.03.1~ce-0~ubuntu-xenialversion doesn't work, but the 17.06.0~ce-0~ubuntu version works.

I place a crt into /usr/local/share/ca-certificates/my-org/my-domain.crt, then do sudo update-ca-certificates and sudo systemctl restart docker.

Can you try following the instructions in https://docs.docker.com/v17.03/engine/security/certificates/ ? Docker 1.13 and up should also read certificates from the system defaults, otherwise;

A custom certificate is configured by creating a directory under /etc/docker/certs.d using the same name as the registry’s hostname (e.g., localhost). All *.crt files are added to this directory as CA roots.

After configuring the certificates, it may be needed to restart the daemon

For anyone who struggles with /etc/docker/certs.d solution, make sure your directory name under there includes the registry port. So /etc/docker/certs.d/myregistry.net:8443.

Worked fine for me on Photon OS.

I was struggling with this error until I figured I was naming the file /etc/docker/certs.d/myregistry/ca.pem instead of /etc/docker/certs.d/myregistry/ca.crt

I was having the same problem on Windows, until I looked at the docs, which suggests using my certificate authority in Windows Explorer (ca.pem renamed as ca.crt) and Right-Click > Install Certificate and select Trusted Root Certificate Authorities for the current user. Restarted docker and it worked.

in coreos, I had to edit
/etc/docker/daemon.json
{ "insecure-registries": ["registry:8443"] }
then sudo systemctl restart docker

Hint: If you reach your private repo through a proxy you can experience same error message, disable proxy or configure an exception (NO_PROXY perhaps) for the private registry host.

I am running docker-registry as a Kubernetes POD on Rancher. I have configured a L7 Ingress and the SSL certificate is located there. when I access from Web browser I have no problem SSL fine, and login credentials works fine. but if I run docker login command I get the x509: certificate signed by unknown authority, which I believe is trying to get the default ingress backend with the fake SSL Self-signed certificate. I am restarting docker on my computer to see if that helps.

It used to work.... I made a small change on my ingress to support a new SSL cert for two hostname
after restarting docker on my laptop still same issue :(

Hi Bro.. This issue same as with my problem.
Openshift cannot import-image for nexus repository, the sintax is
oc import-image nexus-coba:3.5 --from=192.168.250.250:8083/node-nexus --confirm
error: tag latest failed: Internal error occurred: Get https://192.168.250.250:8083/v2/: x509: certificate signed by unknown authority
imagestream.image.openshift.io/nexus-coba imported with errors
This Solution only add --insecure after --confirm.

oc import-image nexus-coba:3.5 --from=192.168.250.250:8083/node-nexus --confirm --insecure

Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:

1. Copy CA cert to `/usr/local/share/ca-certificates`.

2. sudo update-ca-certificates

3. sudo service docker restart

There is still a bug here, though. The docs say to install the CA cert in /etc/docker/certs.d/<registry>, and clearly that isn't sufficient. In fact, after installing the certificate globally, I removed the one in /etc/docker/certs.d, restarted Docker, and it still worked.

Such a big thank you ! I was doing exactly what you were describing, pulling my hair from the official documentation being wrong... :)

I don't believe it! 5 years later, still true, thanks for the solution.

Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:

1. Copy CA cert to `/usr/local/share/ca-certificates`.

2. sudo update-ca-certificates

3. sudo service docker restart

There is still a bug here, though. The docs say to install the CA cert in /etc/docker/certs.d/<registry>, and clearly that isn't sufficient. In fact, after installing the certificate globally, I removed the one in /etc/docker/certs.d, restarted Docker, and it still worked.

Is it means that I must install certificate in the registry docker image also in the nginx?

Docker-Desktop Icon -> Preferences -> Daemon -> "Insecure registries", click + icon
Add your repo "your-registry.com"
click “Apply & Restart”

Refer https://forums.docker.com/t/docker-private-registry-x509-certificate-signed-by-unknown-authority/21262/6 for more info.