debian wheezy: kernel 3.13 : x509 error #5157

zenny opened this Issue Apr 10, 2014 · 11 comments


None yet
zenny commented Apr 10, 2014

Getting "x509: failed to load system roots and no roots provided":

"# docker run -i -t -v /var/run/docker.sock:/docker.sock shipyard/deploy setup
Unable to find image 'shipyard/deploy' locally
Pulling repository shipyard/deploy
2014/04/10 21:14:37 Get x509: failed to load system roots and no roots provided"

Docker version is:

docker version

Client version: 0.10.0
Client API version: 1.10
Go version (client): go1.2.1
Git commit (client): dc9c28f
Server version: 0.10.0
Server API version: 1.10
Git commit (server): dc9c28f
Go version (server): go1.2.1

Debian wheezy with 3.13 backported kernel

uname -a

Linux 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.7-1~bpo70+1 (2014-03-29) x86_64 GNU/Linux

dpkg -l | grep ca-certificates

ii ca-certificates 20130119 all Common CA certificates

Similar issues I found are at:


@tianon should ca-certificates be a required dep?

creack commented Apr 14, 2014

I think so, or we should add a check everywhere we use ssl if the ca are installed.

tianon commented Apr 14, 2014

If you look closer, you'll see that he has ca-certificates installed already.

@zenny did you check that your computer's date and time are set correctly? Something like ntpdate comes in especially handy here.

@unclejack unclejack self-assigned this May 12, 2014

I couldn't reproduce this on wheezy with kernel 3.13 and the certificates were installed.
This can only be reproduced if you have corrupt certs or missing certs.

Setting the wrong date yields an error which looks like x509: certificate has expired or is not yet valid, so this isn't related to setting a wrong timezone or date.

@unclejack unclejack closed this May 15, 2014
@unclejack unclejack was unassigned by zenny Jul 24, 2014
mattxia commented Nov 27, 2014

anyone solve this issue on SUSE Enterprise 11SP03? thanks.

@JeanMertz JeanMertz referenced this issue in gliderlabs/docker-consul Dec 15, 2014

Failed to check for updates #38

hqhq commented Jan 7, 2015

@mattxia I have the same problem on SLES 11 sp3, do you have a work
around so far?

geokala commented Jan 9, 2015

For SLES11 the following seems to work (at least it gives me a new error that hg isn't present):
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt
sed -i -r '/^#.+/d' /etc/ssl/certs/ca-certificates.crt


I having this same problem on my LFS. The geokala tip makes no effect here. My date/timezone are correct. And I use my ca-certificates well in others contexts.
There is a way to test where the go lang is searching the certificates ?

trisk commented Apr 23, 2015

Buildroot-based systems exhibit this issue (#3825) on docker pull. The reason appears to be that none of paths for CA certificate files in src/crypto/x509/root_unix.go are provided by Buildroot's Debian-based ca-certificates package.

The ca-certificates package is also missing an install rule for /usr/sbin/update-ca-certificates which could be used to generate /etc/ssl/certs/ca-certificates.crt.

@alexcesaro alexcesaro referenced this issue in go-gomail/gomail Apr 10, 2016

Cannot send email from docker container #57


Just incase google takes someone else here:

I randomly got this on a Linux Mint 17.3 (Ubuntu 14.04) machine.

reinstalling ca-certificates on its own didnt work becasue the java keystore crashes when it tries to update halfway through the update.

this did work

sudo apt-get install --reinstall ca-certificates ca-certificates-java
sudo service docker restart

and boom tried to docker login, and it works.


Hey guys, if you still experience this I recommend using this docker image as a base if that fits your case:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment