Getting "x509: failed to load system roots and no roots provided":
"# docker run -i -t -v /var/run/docker.sock:/docker.sock shipyard/deploy setup
Unable to find image 'shipyard/deploy' locally
Pulling repository shipyard/deploy
2014/04/10 21:14:37 Get https://index.docker.io/v1/repositories/shipyard/deploy/images: x509: failed to load system roots and no roots provided"
Docker version is:
Client version: 0.10.0
Client API version: 1.10
Go version (client): go1.2.1
Git commit (client): dc9c28f
Server version: 0.10.0
Server API version: 1.10
Git commit (server): dc9c28f
Go version (server): go1.2.1
Debian wheezy with 3.13 backported kernel
Linux docker.dev 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.7-1~bpo70+1 (2014-03-29) x86_64 GNU/Linux
ii ca-certificates 20130119 all Common CA certificates
Similar issues I found are at:
@tianon should ca-certificates be a required dep?
I think so, or we should add a check everywhere we use ssl if the ca are installed.
If you look closer, you'll see that he has ca-certificates installed already.
@zenny did you check that your computer's date and time are set correctly? Something like ntpdate comes in especially handy here.
I couldn't reproduce this on wheezy with kernel 3.13 and the certificates were installed.
This can only be reproduced if you have corrupt certs or missing certs.
Setting the wrong date yields an error which looks like x509: certificate has expired or is not yet valid, so this isn't related to setting a wrong timezone or date.
x509: certificate has expired or is not yet valid
anyone solve this issue on SUSE Enterprise 11SP03? thanks.
@mattxia I have the same problem on SLES 11 sp3, do you have a work
around so far?
For SLES11 the following seems to work (at least it gives me a new error that hg isn't present):
cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt
sed -i -r '/^#.+/d' /etc/ssl/certs/ca-certificates.crt
I having this same problem on my LFS. The geokala tip makes no effect here. My date/timezone are correct. And I use my ca-certificates well in others contexts.
There is a way to test where the go lang is searching the certificates ?
Buildroot-based systems exhibit this issue (#3825) on docker pull. The reason appears to be that none of paths for CA certificate files in src/crypto/x509/root_unix.go are provided by Buildroot's Debian-based ca-certificates package.
The ca-certificates package is also missing an install rule for /usr/sbin/update-ca-certificates which could be used to generate /etc/ssl/certs/ca-certificates.crt.
Just incase google takes someone else here:
I randomly got this on a Linux Mint 17.3 (Ubuntu 14.04) machine.
reinstalling ca-certificates on its own didnt work becasue the java keystore crashes when it tries to update halfway through the update.
this did work
sudo apt-get install --reinstall ca-certificates ca-certificates-java
sudo service docker restart
and boom tried to docker login, and it works.
Hey guys, if you still experience this I recommend using this docker image as a base if that fits your case: https://hub.docker.com/r/centurylink/ca-certs/