x509: certificate signed by unknown authority
Problem
User tries to pull image from private registry with self signed certificate and gets the following error
x509: certificate signed by unknown authority
Solution
You need to import the unknown certificate to your local docker installation in order to behave as trusted authority
Mac OS Docker
add the following settings in the docker GUI
{
“debug”: true,
“experimental”: false,
“insecure-registries”: [
”repo.k8s.tracston.local:443″
],
}
Note change the URL to local domain
then run the steps to export the Certificate Authority
Go to your repository’s URL in a browser. You may have to accept all security prompts.
Click on the padlock 🔓on the address bar, then click on “Connection is secure/Certificate is valid” (on Chrome) or “Show Certificate” (on Safari), and a certificate window popup will appear.
Chrome users, click tab “Details” and button “Export” at the bottom to export the certificate file. save the file “repo.k8s.tracston.local.cer” in your Downloads directory
For Safari users, Click and hold down on the big paper icon of the certificate and drag it to the Downloads folder
Import the certificate from the command line
Sudo su
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ~/Downloads/repo.k8s.tracston.local.cer
Linux Users
Run the following commands
Edit or create the file /etc/docker/daemon.json and add insecure-registries:
vi etc/docker/daemon.json
{
“insecure-registries” : [“repo.k8s.tracston.local:443”] }
## export the certificate to file and save it under docker directory
mkdir /etc/docker/certs.d/repo.k8s.tracston.local:443
mkdir /etc/docker/certs.d/repo.k8s.tracston.local
openssl s_client -showcerts -verify 5 -connect repo.k8s.tracston.local:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM > etc/docker/certs.d/repo.k8s.tracston.local:443/ca.crt
openssl s_client -showcerts -verify 5 -connect repo.k8s.tracston.local:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM > etc/docker/certs.d/repo.k8s.tracston.local/ca.crt
## Restart docker daemon
systemctl restart docker
Ubuntu
sudo update-ca-certificates –fresh
openssl s_client -showcerts -verify 5 -connect repo.k8s.tracston.local:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | tee ~/repo.k8s.tracston.local.crt
sudo cp ~/repo.k8s.tracston.local.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo service docker restart
CentOS
yum install -y ca-certificates
update-ca-trust force-enable
openssl s_client -showcerts -verify 5 -connect repo.k8s.tracston.local:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/pki/ca-trust/source/anchors/repo.k8s.tracston.local.cert
update-ca-trust
Windows Users
From Docker website
Open Windows Explorer, right-click the certificate, and choose Install certificate.
Then, select the following options:
- Store location: local machine
- Check place all certificates in the following store
- Click Browser, and select Trusted Root Certificate Authorities
- Click Finish
additionally you can export the certificate authority from your private registry and copy it to docker local folder
C:\ProgramData\docker\certs.d\ca.crt
Verify the SSL CA certificate loaded correctly
openssl s_client -connect repo.k8s.tracston.local:443 -showcerts </dev/null
Verify that image can be pull without a problem
docker pull repo.k8s.tracston.local/services/vault-connector:0.1.0