Docker Community Forums

Share and learn in the Docker community.

docker and TLS certificate

Hi all,

i have trouble with connecting to company internal docker.

When I try to login or pull image from docker on Arch i am getting following message:

docker pull hostname/image:version
Error response from daemon: Get "https://hostname/v2/": tls: failed to parse certificate from server: x509: invalid certificate policies

Also curl to address:

curl -v https://hostname/
*   Trying 1.1.1.1:443...
* Connected to hostname (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

According to the internet i have to have CA certificate and add it to system. So I received mentioned certificate and add it with:

trust anchor --store myCA.crt

and did update-ca-trust

Now curl shows:


curl -v https://hostname/
*   Trying 1.1.1.1:443...
* Connected to hostname (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=PL; ST=Mazowieckie; L=Warszawa; O=Name.; OU=IT; CN=hostname
*  start date: Jun  7 08:52:24 2021 GMT
*  expire date: Jun  7 08:52:24 2023 GMT
*  subjectAltName: host "hostname" matched cert's "hostname"
*  issuer: DC=pl; DC=com; DC=name; CN=Name. Subordinate CA
*  SSL certificate verify ok.
> GET /v2/ HTTP/1.1
> Host: ekdcicd-tst01
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx/1.20.1
< Date: Mon, 11 Oct 2021 17:00:02 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive

But docker still shows:

docker pull hostname/image:version
Error response from daemon: Get "https://hostname/v2/": tls: failed to parse certificate from server: x509: invalid certificate policies

I have installed Ubuntu on vm and there was different error:


docker pull hostname:443/image:version
Error response from daemon: Get "https://hostname:443/v2/": x509: certificate signed by unknown authority

and when i added certificate to ubuntu store

sudo cp myCa.cer /usr/local/share/ca-certificates/
sudo update-ca-certificates

docker works fine it doesn’t returns any issues.

Does anyone know what is wrong with Arch ? is there any policy to change ?