I was trying to pull a docker image from a docker registry but hit the following issue:
$ docker pull <docker registry>/<image name>/<tag>
Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority
I tried with "curl" and get a similar error message:
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:
cp root_cert.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust
After the root cert is imported, I can see curl is working fine as it won't complain the cert error, however if I use docker pull I still have the same issue. Is docker using different ca-cert location than curl? How do I fix the issue with docker pull in this situation?
You may need to restart the docker service to get it to detect the change in OS certificates.
Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g.
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
Thanks!
service docker restartfixed the issue after my change! The other note is useful as I can trust specific docker registries without affecting other applications.