Docker buildx and private registry - x509 error

olafd · March 28, 2021, 10:33pm

Hi all,
I’m using Docker on a M1 Mac Book Air. I have started with RC1 and now have upgraded to RC2 (I believe) v3.3.0 (62345).

I need to build images for linux/amd64 a lot. I always start with a common base image and then derive ‘child’ images with various individual settings and installed options. So in the final Image build process I refer to a previously built image (which used to be locally available on my old Intel Mac). Now with buildkit when using a custom builder
docker buildx create --name m1builder --use
I get:

❯ docker buildx ls
NAME/NODE    DRIVER/ENDPOINT             STATUS  PLATFORMS
m1builder *  docker-container
  m1builder0 unix:///var/run/docker.sock running linux/arm64, linux/amd64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
default      docker
  default    default                     running linux/arm64, linux/amd64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6

I have been able to build the linux/amd64 base image and used --load to export them from m1builder to docker. From there I tag and push them to a private registry (registry.mydomain.com:443). It is password protected and uses a letsencrypt certificate but is only available on my internal network:

REGISTRY=registry.mydomain.com:443
IMAGE_APACHE=wp-apache-base
docker buildx build \
  --load \
  --platform linux/amd64 \
  -t $REGISTRY/$IMAGE_APACHE:$VERSION \
  .
docker tag $REGISTRY/$IMAGE_APACHE:$VERSION $REGISTRY/$IMAGE_APACHE:latest
docker push $REGISTRY/$IMAGE_APACHE:latest

So docker push and docker pull work fine. But I’m unable to access those images from within m1builder.
At first, I tried to use --push in the buildx command, but the result is the same as when I use --load and then docker push and in the Dockerfile FROM $REGISTRY/$IMAGE_APACHE:$VERSION
So when I try to use it in the downstream Dockerfile FROM line, I get:

 => ERROR [internal] load metadata for registry.mydomain.com:443/wp-apache-base:latest                                                                                                          0.1s
------
 > [internal] load metadata for registry.mydomain.com:443/wp-apache-base:latest:
------
error: failed to solve: rpc error: code = Unknown desc = failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head https://registry.mydomain.com:443/v2/wp-apache-base/manifests/latest: x509: certificate signed by unknown authority

Is there something I need to do to make m1builder trust the letsencrypt certificate of the registry or is that perhaps a bug?
Thanks for looking,
Olaf