Failed to push image,Error:x509: certificate signed by unknown authority

[xiexg]

The version information is as follows
buildkit v0.12.1

The content of my buildkitd.toml file is as follows

debug = true
[registry."local-repository.com"]
  insecure = true
  ca=["/etc/config/ca.crt"]
  [[registry."local-repository".keypair]]
    key="/etc/config/local-repository.com.key"
    cert="/etc/config/local-repository.com.cert"

Execute the command as follows
buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. --output type=image,name=local-repository.com/base/myapp,push=true,registry.insecure=true

The error message is as follows
error: failed to solve: failed to push local-repository.com/base/myapp: failed to do request: Head "https://local-repository.com/v2/base/myapp/blobs/sha256:2d473b07cdd5f0912cd6f1a703352c82b512407db6b05b43f2553732b55df3bc": tls: failed to verify certificate: x509: certificate signed by unknown authority

When I configure certificate trust at the operating system level, it is ok, but using the buildkitd.toml file returns the above error.
I wonder if there is something wrong with my configuration file or the command line,my certificate is self-signed

[crazy-max]

Typo in [[registry."local-repository".keypair]] which should be [[registry."local-repository.com".keypair]] I guess?

[jedevc]

Also, insecure shouldn't be needed - that's for explicitly ignoring the results of the verification.

[xiexg]

I changed my buildkitd.toml file but it still returns "x509: certificate signed by unknown authority" error

debug = true
[registry."local-repository.com"]
  ca=["/etc/config/ca.crt"]
  [[registry."local-repository.com".keypair]]
    key="/etc/config/local-repository.com.key"
    cert="/etc/config/local-repository.com.cert"

[rafaribe]

I'm having the same problem

[NiklasRosenstein]

I am also having the same issue. Happy to tip a few coffees for getting this resolved! ☕

On my GitLab CI Runner:

$ cat /etc/buildkitd.toml
debug = true

[registry."registry.docker.local"]
  ca = ["/etc/certs/registry.docker.local.pem"]

From journalctl -u buildkitd.service:

Sep 05 14:32:37 hcloudci-amd64-green01 systemd[1]: Started BuildKit.
Sep 05 14:32:37 hcloudci-amd64-green01 buildkitd[6432]: time="2023-09-05T14:32:37Z" level=info msg="running server on /run/buildkit/buildkitd.sock"
Sep 05 14:38:19 hcloudci-amd64-green01 buildkitd[6432]: time="2023-09-05T14:38:19Z" level=info msg="trying next host" error="failed to do request: Head \"https://registry.docker.local/v2/myproject/manifests/cache\": tls: failed to verify certificate: x509: certifi>

In my GitLab CI:

$ buildctl build --frontend dockerfile.v0 --local context=$PWD --local dockerfile=$PWD --import-cache type=registry,ref=registry.docker.local/myproject:cache --export-cache type=registry,ref=registry.docker.local/myproject:cache
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 126B done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/library/alpine:latest
#2 DONE 1.6s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 importing cache manifest from registry.docker.local/myproject:cache
#4 ERROR: failed to configure registry cache importer: failed to do request: Head "https://registry.docker.local/v2/myproject/manifests/cache": tls: failed to verify certificate: x509: certificate signed by unknown authority

[NiklasRosenstein]

As per this comment on docker/setup-buildx-action, I've copied the certificate into the system certificate chain and it works now.

On the GitLab CI Runner that BuildKit runs on:

cp /etc/certs/registry.docker.local.pem /usr/local/share/ca-certificates/registry.docker.local.crt
update-ca-certificates