-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
self signed certificates not working - "x509: certificate signed by unknown authority" error with private Docker repository #112
Comments
@erichorwath This has been fixed with docker/buildx#787 and available since 0.7.0-rc1: - name: Setup Docker Buildx
id: setup_docker_buildx
uses: docker/setup-buildx-action@v1
with:
version: v0.7.0-rc1
endpoint: builders
buildkitd-flags: --debug
config: buildkitd.toml Let us know if it works. I will also open a PR to update our doc here when 0.7.0 is GA. |
@crazy-max AWESOME!
With that workflow file, I was able to see that my custom ca certs have been copied to the buildkit container (running on Kubernetes): And now, the Docker layers are successfully pulled from my local registry: |
Running docker buildx build --platform linux/amd64,linux/arm64 -t PRIVATE_REPO_IP_ADDREESS:5000/namespace/base:ubuntu1804 -push . still ends in ...
=> ERROR exporting to image 0.3s
=> => exporting layers 0.0s
=> => exporting manifest sha256:ed40f0be1df2c717c1c877b8b49f552f9485d03252b99b85ed0b22d66cecfc39 0.0s
=> => exporting config sha256:6aa054846e55958b29ed9bc84ae09680595b02609de843cc7182f4eedb2e329c 0.0s
=> => exporting manifest sha256:ae6f0b8a15b14df2339a42a7fefcb2b88c44e047d709d8d2be3368564290e85a 0.0s
=> => exporting config sha256:5949f2c21bb198aa2e375226b6e9500b56b2bffd9d2d48a8cfe3982192c42bae 0.0s
=> => exporting manifest list sha256:1c4d91c8a357e6f63bc41b7ea89ab78d095f6427cdba006c03b0f238430aba61 0.0s
=> => pushing layers 0.0s
------
> exporting to image:
------
error: failed to solve: failed to do request: Head "https://PRIVATE_REPO_IP_ADDREESS:5000/v2/namespace/base/blobs/sha256:ed02c709bf16de9b15c296bc04833a13d2c05df929b1b3edd7ba0df4211bab2c": x509: certificate signed by unknown authority p.s. $ docker buildx version
github.com/docker/buildx v0.7.1 05846896d149da05f3d6fd1e7770da187b52a247 |
@aleksas Do you include the necessary buildkit configuration while creating your builder like @erichorwath does in #112 (comment)? If so would need some logs and/or a link to your repo to help you out. |
I don't use github workflow or k8s so notation was not very clear. But yes I've managed to push the multi-arch image to secure repo. Created a [registry."IP_ADDRESS:5000"]
http = false
insecure = false
ca=["/etc/ssl/certs/ca-certificates.crt"] file and passed it while creating new buildx builder docker buildx create --use --config buildkit.toml Replace Was still getting
sudo cp domain.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart docker
sudo cp domain.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust extract
sudo systemctl restart docker |
@aleksas I am having the same issue as you. I am not using k8, or github workflow. I am trying to push a buildx build to my private registry hosted on the same machine it's being built on. Wondering if you have any other solution to this problem as I would really like to host buildx images on my Private Registry. Little about my situation.... I have successfully built and pushed buildx images before to a private repo on the same machine I'm trying to use now. However, I found DockerHub solution too much for me as I want something more personal, like a private registry. I have been working on getting things working for the registry for a few days and finally am able to push docker images to it. However, my goal is to host buildx images versus docker images. Please let me know what else I can do! Cheers. Happy Holidays :) |
@prayritkhanna is it he same error message? Paste it here, just to be sure. I've played around with creating builders and generating certs and enabling them eventually at some point loosing track of which certificate is the right one - had to to clear the certificate registry - and start over. Same with builders. As I've mentioned before I had to restart the host server after registering certificate ( |
@aleksas I had to edit my openssl.cnf and add my docker registry... Since then, I restarted and update-ca-certificates. Now everything is working. However, there are these squares with numbers in them through the /v2/ api, so that's the new thing uncover! |
Hi, I can't manage to make it wotk either.
Docker is able to push pull from the node (so I guess certs are correctly installed in Here is what I've copy from the above successfull test (thanks erichorwath )
The docker file is using an image from ${{ env.REGISTRY }}/${{env.REPOSITORY}}, but buildkit seems to fail to downlaod it.
I'm not able to see what is in the builkit container sine it is auto-removed at the end of the build. |
@lmussier we are not "execing" into the buildkit container. Not sure, why it is failing for your case, but here is our workflow file:
please note, in our case "registry.actions-runner-system.svc:5000" is a Docker registry without password in the Kubernetes cluster not reachable from outside. |
@erichorwath I must have missed somthing, how do you managed to see that : Thanks for the whole flow, I'll try match it to my use case. |
I can't use docker buildx push to my harbor which with certs.
|
Thanks a lot, this worked! I think |
Thank you very much. aleksas. but something is different for me:
|
works for me, you are my hero. |
Behaviour
Steps to reproduce this issue
Create private Docker Registry with self signed certificates
Create Github runner with ca-certificate mounted into
/etc/docker/certs.d/docker-registry.actions-runner-system.svc\:5000/ca.crt
, so that Docker can pull and push from a private registry with those certsConfigure Github workflow yaml to use this certificate
Expected behaviour
My expectation is that "setup-buildx-action" should take the ca-certs from the Runner and use them in the
moby/buildkit:buildx-stable-1
Docker container, where the build-push-action is executed.This is based on docker/buildx#787 (comment) - If I understood it correctly.
Actual behaviour
x509: certificate signed by unknown authority
Are my expectations are wrong or did I use some wrong configuration?
The text was updated successfully, but these errors were encountered: