New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

access private registry: x509: certificate signed by unknown authority #8849

Closed
hustcat opened this Issue Oct 30, 2014 · 33 comments

Comments

Projects
None yet
@hustcat

hustcat commented Oct 30, 2014

I setup docker-registry with nginx by following here.

I run 'docker login', get this error:

# docker login -u docker -p docker -e xx@xxx.com https://dev.registry.com
2014/10/30 11:12:08 Error response from daemon: Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority

docker daemon's output:

[debug] server.go:1181 Calling POST /auth
[info] POST /v1.15/auth
[47687bb1] +job auth()
[debug] endpoint.go:109 Error unmarshalling the _ping RegistryInfo: json: cannot unmarshal bool into Go value of type registry.RegistryInfo
[debug] endpoint.go:113 Registry version header: '0.7.1'
[debug] endpoint.go:116 RegistryInfo.Version: "0.7.1"
[debug] endpoint.go:119 Registry standalone header: 'True'
[debug] endpoint.go:127 RegistryInfo.Standalone: true
[debug] endpoint.go:109 Error unmarshalling the _ping RegistryInfo: json: cannot unmarshal bool into Go value of type registry.RegistryInfo
[debug] endpoint.go:113 Registry version header: '0.7.1'
[debug] endpoint.go:116 RegistryInfo.Version: "0.7.1"
[debug] endpoint.go:119 Registry standalone header: 'True'
[debug] endpoint.go:127 RegistryInfo.Standalone: true
Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
[47687bb1] -job auth() = ERR (1)
[error] server.go:1207 Handler for POST /auth returned error: Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority
[error] server.go:110 HTTP Error: statusCode=500 Server Error: Post https://dev.registry.com/v1/users/: x509: certificate signed by unknown authority

I checked the code. I think function Login may be need 'tlsConfig'
https://github.com/docker/docker/blob/master/registry/auth.go#L163

just like
https://github.com/docker/docker/blob/master/registry/registry.go#L49

# docker --version
Docker version 1.3.0, build c78088f
# curl --cacert ca.pem https://dev.registry.com/v1/_ping                 
true
# curl --cacert ca.pem -u docker:docker https://dev.registry.com/v1/users/
"OK"

# curl -u docker:docker https://dev.registry.com/v1/users/                
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
@tiborvass

This comment has been minimized.

Collaborator

tiborvass commented Nov 4, 2014

@hustcat As of Docker 1.3.1, you can do --insecure-registry dev.registry.com:5000 you can replace 5000 with whichever port your registry is listening on.

I'm closing this now, but let us know in the comments if this did not solve your issue.

@tiborvass tiborvass closed this Nov 4, 2014

@behemphi

This comment has been minimized.

behemphi commented Nov 4, 2014

I am leaving this here b/c it took me a few minutes to figure it out, and might save someone the time. The command would be:

%> docker --insecure-registry=docker-registry.example.com:8080 login https://docker-registry.example.com:8080

Thanks for getting the switch put in place for 1.3!

@rhasselbaum

This comment has been minimized.

rhasselbaum commented Jan 19, 2015

I am facing the same problem. The certificate validation works for the ping (and pushing/pulling), but not login.

The --insecure-registry flag is a workaround, not a fix. The certificate validation should work if the CA certificate is loaded into /etc/docker/certs.d/<registry>, but it doesn't.

@cdub50

This comment has been minimized.

cdub50 commented Jan 19, 2015

I cant event get it to work by setting --insecure-registry I am on docker 1.3.2 on RedHat 7

[root@ip-10-2-20-209 ec2-user]# docker --insecure-registry=qa.docker.repo login https://qa.docker.repo
Username: qa
Password:
Email: qa@user.com
2015/01/19 14:26:40 Error response from daemon: Server Error: Post https://qa.docker.repo/v1/users/: x509: certificate signed by unknown authority

curl works fine when I use the generated ca.pem file.

curl --cacert /home/ec2-user/ca.pem -u qa:xxxxx https://qa.docker.repo/v1/users/
"OK"

@mariopirker

This comment has been minimized.

mariopirker commented Jan 19, 2015

I'm having the same issue on docker version 1.3.2 and opensuse 13.1. I even tried to statically pass --cafile cacert.pem to every curl call (since I assumed docker internally just uses curl), however, this also did not help.

Any help would be much appreciated.

Thanks.
Mario

@ghost

This comment has been minimized.

ghost commented Jan 19, 2015

Before I found this issue, I opened #10150. They appear to be the same issue.

@jeffutter

This comment has been minimized.

jeffutter commented Jan 20, 2015

I seem to be having the same issue. Archlinux client 1.4.1 and the registry running from the official docker container. Anyone have any thoughts?

@grimmy

This comment has been minimized.

grimmy commented Jan 20, 2015

If you've installed the cert globally (via ca-certificates) make sure you restart docker as it won't reload the global ssl certs. That said, mine still isn't working, but I ran into that at work :)

@mariopirker

This comment has been minimized.

mariopirker commented Jan 20, 2015

Thank you grimmy, that did the trick on my end and it finally works. I did:

  1. Get cacert.pem from http://curl.haxx.se/docs/caextract.html
  2. Copy the cacert.pem file to /etc/pki/trust/anchors/
  3. sudo update-ca-certificates
  4. sudo systemctl docker stop
  5. sudo systemctl docker start

mario

@rhasselbaum

This comment has been minimized.

rhasselbaum commented Jan 20, 2015

Thank you, that also worked for me. Equivalent steps on Ubuntu/Debian:

  1. Copy CA cert to /usr/local/share/ca-certificates.
  2. sudo update-ca-certificates
  3. sudo service docker restart

There is still a bug here, though. The docs say to install the CA cert in /etc/docker/certs.d/<registry>, and clearly that isn't sufficient. In fact, after installing the certificate globally, I removed the one in /etc/docker/certs.d, restarted Docker, and it still worked.

@GaretJax

This comment has been minimized.

Contributor

GaretJax commented Jul 8, 2015

+1 for reopening this, as @rhasselbaum mentioned

@cjw296

This comment has been minimized.

cjw296 commented Sep 16, 2015

Has --insecure-registry gone away?

$ docker --version
Docker version 1.8.2, build 0a8c2e3

$ docker --insecure-registry
flag provided but not defined: --insecure-registry
See 'docker --help'.

What should we use now?

@cdub50

This comment has been minimized.

cdub50 commented Sep 16, 2015

that goes in the docker config file you can check if its set by looking at
the docker process you should see the --insecure-registry flag

On Wed, Sep 16, 2015 at 3:01 AM, Chris Withers notifications@github.com
wrote:

Has --insecure-registry gone away?

$ docker --version
Docker version 1.8.2, build 0a8c2e3

$ docker --insecure-registry
flag provided but not defined: --insecure-registry
See 'docker --help'.

What should we use now?


Reply to this email directly or view it on GitHub
#8849 (comment).

@hchaithanya

This comment has been minimized.

hchaithanya commented Oct 8, 2015

I got the same error for docker pull command and I think the following should work.
Copy the SSL certificate which is the '.crt' file to the directory

sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
Let Ubuntu add the '.crt' file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf

sudo dpkg-reconfigure ca-certificates

@carloshpds

This comment has been minimized.

carloshpds commented Nov 30, 2015

if your machine state is not important, so you can run docker-machine rm <machine-name> and create another one ;)

@rezonant

This comment has been minimized.

rezonant commented Feb 16, 2016

If you use LetsEncrypt and you don't want to run anything without proper TLS, make sure to provide the full chain of the certificate including intermediates (ie REGISTRY_HTTP_TLS_CERTIFICATE=.../fullchain.pem) you may see green in Chrome while still getting this error from Docker.

Cheers!

@JazzDeben

This comment has been minimized.

JazzDeben commented Sep 16, 2016

On Ubuntu. If you experience error:

  • x509: cannot validate certificate for [IP address or domain name] because it doesn't contain any IP SANs

On the Docker registry the certificate had to be compiled with the subjectAltName as described here:
https://docs.docker.com/engine/security/https/

Here is the code for convenience:
$ echo subjectAltName = IP:10.10.10.20,IP:127.0.0.1 > extfile.cnf
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

Note, I was able to check the subject alternative name is present in the certificate using the following command:
openssl x509 -in certificate.crt -text -noout

However, on Ubuntu 14 client (i.e. Docker Engine)
This error was followed suit by
x509: certificate signed by unknown authority

For people using Ubuntu 14.
The config file that is used for the Docker engine (that I want to use to connect to the Docker Registry):
/etc/default/docker

in there, you need to specify the docker options:
DOCKER_OPTS="--insecure-registry myinsecure.com:5000"

Then restart the daemon (add sudo if you user is not allowed to start a docker service):
$ [sudo] service docker restart

The value does not need to be a domain name, it simply has to match what you certificate is registered with; I have an IP address with a port and this works... (i.e. e.g. 100.100.100.100:100)

All this took me a day, so, I am posting this hoping that it will be useful to other people...

@sallespro

This comment has been minimized.

sallespro commented Oct 4, 2016

@JazzDeben Thanks for your remarks ! very useful ! i am not sure how to do it with a Let's Encript certbot generated certificate.
i get this error in the registry server

tls: client didn't provide a certificate

Chrome complains about ERR_BAD_SSL_CLIENT_AUTH_CERT
if i include

  tls:
...
    clientcas:
      - /path/to/ca.pem
@david-drinn

This comment has been minimized.

david-drinn commented Oct 6, 2016

@cjw296 For RHEL7.2, I edited the file, /usr/lib/systemd/docker.service, and in the ExecStart line added the --insecure-registry=your.docker.registry.com.

< ExecStart=/usr/bin/dockerd
---
> ExecStart=/usr/bin/dockerd --insecure-registry=your.docker.registry.com

Then I ran sudo systemctl daemon-reload to pick up the configuration change, followed by sudo systemctl restart docker. And now it works.

To be honest, I'm still a systemd noob and there are probably better ways to do this more cleanly. But I struggled with this for too long, and wanted to post a workaround. Thanks to @cdub50 for leading me in the right direction.

@dovecode

This comment has been minimized.

dovecode commented May 5, 2017

@david-drinn For Fedora 25, I did something similar, but since the docker daemon config (in /usr/lib/systemd/system/docker.service) sources setup from configuration files, I made the change in /etc/sysconfig/docker:

< # INSECURE_REGISTRY='--insecure-registry='
---
> INSECURE_REGISTRY='--insecure-registry=your.docker.registry.com'
@FCA69

This comment has been minimized.

FCA69 commented May 19, 2017

If curl is working and docker not, you can:
o create the "/etc/docker/certs.d//..." directory & files (valid for private registries only ?)
o add a "tlscert" entry in your "/etc/docker/daemon.json" file, so that dockerd uses the same certificates as curl does.

@antoniomercado

This comment has been minimized.

antoniomercado commented Jun 6, 2017

To those that run into this issue and you have self signed certificates and you do not want to use the "insecure-registry" directive then you need to load your self signed certificates into /etc/docker/certs.d/{host}/. After loading them in remember to RESTART docker daemon. To elaborate some more.....

If your registry is hosted at https://exampleregistry.com you should have a directory called /etc/docker/certs.d/exampleregistry.com with your self-signed certs inside. Now you will be able to do docker login exampleregistry.com with no x509 error.
Now here is a caveat to all this, lets say you want to for some reason explicitly define the port in your login command like this docker login exampleregistry.com:443(which would make no sense, but this is just an example) then you need to ensure that your self signed certificates are inside a folder called /etc/docker/certs.d/exampleregistry.com:443/. Docker makes no assumptions about certs resolving based on hostname only when using a port. You have to actually provide certs on a per port basis by loading your self signed certs into a folder name that includes the port you are trying to access.

Hopefully this saves many of you guys a lot of debugging who are using ports to connect to your docker registry.

@abdasgupta

This comment has been minimized.

abdasgupta commented Jul 18, 2017

This is not resolved in my case:
I want to use a self-signed certificate for nexus OSS repository. But I am getting this error: Error response from daemon: Get https://<mydomain.com>:10250/v1/users/: x509: certificate signed by unknown authority

I have placed the .crt file in /etc/docker/certs.d as well as /usr/share/ca-certificates on my ubuntu 16.04 om intel machine. I ran then update-ca-certificates and restarted docker. this is my cert file nexus.cert:
$ openssl x509 -in nexus.crt -text

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IN, ST=State, L=City, O=XYZ, OU=x, CN=<mydomain.com>
        Validity
            Not Before: Jul 17 20:28:26 2017 GMT
            Not After : Jul 17 20:28:26 2018 GMT
        Subject: C=IN, ST=State, L=City, O=XYZ, OU=x, CN=<mydomain.com>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b8:2c:97:c2:e4:bf:7a:e1:49:22:9b:a2:90:7a:
                    3a:de:3d:d3:f5:e9:c9:8b:9b:c8:13:37:4b:36:32:
                    4f:a7:0d:b9:53:4c:f4:10:fa:e7:d2:64:a5:e9:0a:
                    32:49:c3:aa:f8:2c:27:82:94:85:c3:11:07:a7:d0:
                    6c:0a:4a:45:66:94:cb:d3:27:28:cd:58:43:5b:f9:
                    e1:66:97:52:81:be:03:53:d5:e1:84:0c:4f:89:fd:
                    78:6d:8f:88:cf:29:af:6d:14:2e:2e:dc:d4:f3:87:
                    1c:73:5e:35:cb:d2:95:58:20:55:c0:f5:89:e1:40:
                    64:16:cd:25:a8:bd:6b:6a:9c:21:b0:97:d2:67:63:
                    5c:3c:4a:2c:21:1a:72:3a:68:c6:a0:e2:ea:4d:f8:
                    db:bd:02:81:93:db:60:51:ad:6e:bf:d7:7d:45:43:
                    95:e1:a5:d7:de:36:76:7c:a4:d7:4a:7f:b2:b1:98:
                    75:7d:27:2c:1d:ad:03:1b:5f:8a:ac:12:5e:76:9c:
                    2a:f7:03:b0:51:6c:23:a4:df:08:1f:02:0c:42:b6:
                    ff:7f:33:16:b0:86:fc:92:e7:db:7a:3b:a2:70:30:
                    f4:79:fa:f1:0f:75:0f:32:69:79:97:73:f4:de:11:
                    3e:bf:f8:63:49:21:dc:02:c6:ef:de:91:74:03:6d:
                    21:56:2e:c6:04:d1:02:30:73:6e:52:c7:93:07:6c:
                    f9:98:ff:1c:cc:dd:da:c7:45:2e:7b:ab:04:33:fe:
                    39:6c:5d:d5:dd:46:ae:25:d6:fd:9d:01:ae:8a:e8:
                    14:18:cc:6e:64:e4:11:8a:ce:3d:30:56:6d:0c:a7:
                    83:90:6c:f5:14:36:16:39:cc:10:7a:db:35:f6:9c:
                    68:da:84:f6:9c:07:d0:3e:b7:52:54:03:75:9a:ae:
                    eb:79:b5:5f:cb:10:cf:25:08:ae:f7:b3:13:79:f4:
                    4a:98:72:08:e3:23:e2:22:a1:31:47:41:ec:a4:76:
                    42:db:1c:46:31:3c:a2:14:14:94:bf:4f:1e:1f:85:
                    a0:9c:4c:3d:af:92:7a:90:d1:ad:23:f0:ea:3e:7d:
                    b4:21:79:f9:82:3a:16:04:42:60:b8:5d:15:1c:48:
                    9b:1e:b5:9b:0d:1f:aa:56:aa:a2:1a:a5:6f:ef:ab:
                    2a:22:6d:05:19:c0:2b:dc:46:c4:c2:4a:f8:89:25:
                    fc:dc:e6:ab:7b:8a:76:de:47:a3:e2:00:0e:d7:e8:
                    bd:86:86:d3:8d:6b:56:63:bf:40:1e:31:d7:74:fe:
                    63:fc:7e:e2:9f:21:31:1d:39:2a:44:a5:56:fd:dd:
                    66:5e:c2:4f:94:c7:ee:26:89:1a:d1:6b:13:00:f6:
                    4f:72:9b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         25:26:77:55:50:0a:66:39:5f:79:c7:5e:af:5f:54:e2:92:6f:
         62:e5:90:3a:0f:de:9b:7a:02:df:66:47:c5:71:61:91:c4:74:
         ba:0e:55:34:47:0b:72:c5:f5:27:5d:d0:d6:06:a9:f7:5c:d5:
         41:30:4c:0f:0b:3a:3c:64:13:a0:28:9b:10:92:0e:c8:eb:e8:
         0f:00:ba:54:9d:d4:7a:8c:cd:f7:91:a9:55:69:0f:9b:12:77:
         e9:f2:28:c8:cb:07:d4:ab:a4:eb:b2:3d:ae:b4:6d:7a:15:85:
         cb:07:f6:e3:6b:58:1c:26:0a:ad:d5:e6:7c:b7:e7:19:6c:d1:
         31:80:5e:cb:17:85:88:a2:6c:fc:fe:3c:28:1f:f9:87:a6:0f:
         f6:85:d2:c0:76:25:fb:52:2f:8a:99:0c:88:4e:bd:84:6b:da:
         81:b4:41:f1:bf:1c:e7:7d:93:a5:e2:d7:66:8a:63:bf:9c:c4:
         ad:ea:cb:c4:c6:7d:1f:95:35:87:60:8b:e8:23:e8:4e:36:43:
         5e:86:de:c4:35:e0:29:7a:93:90:a4:9b:c3:d1:8e:13:55:9f:
         ea:ab:52:0a:a8:a0:54:cf:f4:5e:ff:12:40:09:43:3c:e7:55:
         e7:c1:de:62:ce:21:39:f5:d3:51:7a:92:f2:b2:3c:75:8c:1f:
         bd:aa:13:63
-----BEGIN CERTIFICATE-----
MIIEPDCCAyQCAQEwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UEBhMCSU4xEjAQBgNV
BAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQwwCgYDVQQKEwNJQk0x
DDAKBgNVBAsTA2x0YzERMA8GA1UEAxMIbHRjeC5jb20wHhcNMTcwNzE3MjAyODI2
WhcNMTgwNzE3MjAyODI2WjBkMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0
YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDDAKBgNVBAoMA0lCTTEMMAoGA1UECwwD
bHRjMREwDwYDVQQDDAhsdGN4LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBALgsl8Lkv3rhSSKbopB6Ot490/XpyYubyBM3SzYyT6cNuVNM9BD659Jk
pekKMknDqvgsJ4KUhcMRB6fQbApKRWaUy9MnKM1YQ1v54WaXUoG+A1PV4YQMT4n9
eG2PiM8pr20ULi7c1POHHHNeNcvSlVggVcD1ieFAZBbNJai9a2qcIbCX0mdjXDxK
LCEacjpoxqDi6k34270CgZPbYFGtbr/XfUVDleGl1942dnyk10p/srGYdX0nLB2t
AxtfiqwSXnacKvcDsFFsI6TfCB8CDEK2/38zFrCG/JLn23o7onAw9Hn68Q91DzJp
eZdz9N4RPr/4Y0kh3ALG796RdANtIVYuxgTRAjBzblLHkwds+Zj/HMzd2sdFLnur
BDP+OWxd1d1GriXW/Z0BroroFBjMbmTkEYrOPTBWbQyng5Bs9RQ2FjnMEHrbNfac
aNqE9pwH0D63UlQDdZqu63m1X8sQzyUIrvezE3n0SphyCOMj4iKhMUdB7KR2Qtsc
RjE8ohQUlL9PHh+FoJxMPa+SepDRrSPw6j59tCF5+YI6FgRCYLhdFRxImx61mw0f
qlaqohqlb++rKiJtBRnAK9xGxMJK+Ikl/Nzmq3uKdt5Ho+IADtfovYaG041rVmO/
QB4x13T+Y/x+4p8hMR05KkSlVv3dZl7CT5TH7iaJGtFrEwD2T3KbAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBACUmd1VQCmY5X3nHXq9fVOKSb2LlkDoP3pt6At9mR8Vx
YZHEdLoOVTRHC3LF9Sdd0NYGqfdc1UEwTA8LOjxkE6AomxCSDsjr6A8AulSd1HqM
zfeRqVVpD5sSd+nyKMjLB9SrpOuyPa60bXoVhcsH9uNrWBwmCq3V5ny35xls0TGA
XssXhYiibPz+PCgf+YemD/aF0sB2JftSL4qZDIhOvYRr2oG0QfG/HOd9k6Xi12aK
Y7+cxK3qy8TGfR+VNYdgi+gj6E42Q16G3sQ14Cl6k5Ckm8PRjhNVn+qrUgqooFTP
9F7/EkAJQzznVefB3mLOITn101F6kvKyPHWMH72qE2M=
-----END CERTIFICATE-----
@FCA69

This comment has been minimized.

FCA69 commented Jul 18, 2017

@abdasgupta : can you "curl" your repo ?
If so, check which certificates' file curl is using, and edit your daemon.json file in order to use that same file.
In my case, it was :
[root@localhost ]# cat /etc/docker/daemon.json
{ "insecure-registries":["registry-1.docker.io/v2:5000"],
"debug":true,
"tlscert": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" <<<<======
}

@abdasgupta

This comment has been minimized.

abdasgupta commented Jul 18, 2017

I didn't wanted to use that insecure-registries.. is it not possible to run without it?? moreover, certificate is same as repo's.. cz I copied from there.

@FCA69

This comment has been minimized.

FCA69 commented Jul 20, 2017

@ChipmunkV

This comment has been minimized.

ChipmunkV commented Jul 20, 2017

@abdasgupta, I've noticed that 17.03.1~ce-0~ubuntu-xenialversion doesn't work, but the 17.06.0~ce-0~ubuntu version works.

I place a crt into /usr/local/share/ca-certificates/my-org/my-domain.crt, then do sudo update-ca-certificates and sudo systemctl restart docker.

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Jul 20, 2017

Can you try following the instructions in https://docs.docker.com/v17.03/engine/security/certificates/ ? Docker 1.13 and up should also read certificates from the system defaults, otherwise;

A custom certificate is configured by creating a directory under /etc/docker/certs.d using the same name as the registry’s hostname (e.g., localhost). All *.crt files are added to this directory as CA roots.

After configuring the certificates, it may be needed to restart the daemon

@charandas

This comment has been minimized.

charandas commented Oct 11, 2017

For anyone who struggles with /etc/docker/certs.d solution, make sure your directory name under there includes the registry port. So /etc/docker/certs.d/myregistry.net:8443.

Worked fine for me on Photon OS.

@heron182

This comment has been minimized.

heron182 commented Dec 9, 2017

I was struggling with this error until I figured I was naming the file /etc/docker/certs.d/myregistry/ca.pem instead of /etc/docker/certs.d/myregistry/ca.crt

@jakebrinkmann

This comment has been minimized.

jakebrinkmann commented Jan 4, 2018

I was having the same problem on Windows, until I looked at the docs, which suggests using my certificate authority in Windows Explorer (ca.pem renamed as ca.crt) and Right-Click > Install Certificate and select Trusted Root Certificate Authorities for the current user. Restarted docker and it worked.

@visualex

This comment has been minimized.

visualex commented Feb 27, 2018

in coreos, I had to edit
/etc/docker/daemon.json
{ "insecure-registries": ["registry:8443"] }
then sudo systemctl restart docker

@leonardossz

This comment has been minimized.

leonardossz commented Jul 12, 2018

Hint: If you reach your private repo through a proxy you can experience same error message, disable proxy or configure an exception (NO_PROXY perhaps) for the private registry host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment