x509: certificate signed by unknown authority #595
Description
Hi contributors to go-containerregistry, thanks tons for working on this repository.
I'm hitting an issue where I am trying to push a container to a private docker registry that I have spun up on a remote machine.
After a few days of fiddling with permissions, auth, certificates, insecure-registries, I was able to, I think, get very close to solving the issue.
The actual error I get is when I'm using the github.com/bazelbuild/rules_docker repository, and so I will submit this same issue in there.
Users-MacBook-Pro:tgkj kevin$ bazel run //human/forum:image_push
INFO: Analyzed target //human/forum:image_push (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //human/forum:image_push up-to-date:
bazel-bin/human/forum/image_push.digest
bazel-bin/human/forum/image_push
INFO: Elapsed time: 0.115s, Critical Path: 0.00s
INFO: 0 processes.
INFO: Build completed successfully, 2 total actions
INFO: Build completed successfully, 2 total actions
2019/10/26 00:06:03 Error pushing image to app.exaple.com:5000/human/forum:dev: unable to push image to app.example.com:5000/human/forum:dev: Get https://app.example.com:5000/v2/: x509: certificate signed by unknown authority
However, I did setup my ~/.docker/certs.d/ directory:
/Users/kevin/.docker/certs.d/
└── app.example.com:5000
├── app.example.com.cert
├── app.example.com.key
├── ca.crt
# .... some other folders because I was trying to set this up
I added to my MacOS KeyChain the certificates above and also the certificates in this set of file (which I think was necessary):
│ ├── app.example.com.cert
│ ├── app.example.com.key
│ ├── ca.crt
│ ├── domain.crt
│ ├── domain.key
│ ├── htpasswd
│ ├── servername.cert
│ └── servername.key
And that made it possible to finally do:
Users-MacBook-Pro:tgkj kevin$ docker login https://app.example.com:5000
Username: testuser
Password:
Login Succeeded
Woot!
However, as you can see in the first code snippet, rules_docker, which uses go-containerregistry'sWrite [0] , is not able to authenticate properly with the docker registry. I believe they are both using the same DOCKER_CONFIG=/Users/kevin/.docker/ and they are using the same keychain. So, my suspicion is that go-containerregistry is not reading the keychain properly in the Write function or rules_docker is not passing the certificates properly.
In any case, I don't see others having the same issue in both rules_docker and go-containerregistry, so I might be doing something wrong.
Thank you!
Kovkev
[0]