EDIT: Got it working!

I got it working by creating my own certificate authority first as outlined here:

And here:

I’d like to be able to give a better answer but I was following the instructions here:

https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

And it wasn’t working for me. Except for the part about signing the client key. That worked

I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.

The error I’m getting is:

x509: certificate signed by unknown authority

According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:

EBU[0015] Calling POST /v1.24/images/create?fromImage=docker.squadwars.org%2Froster&tag=latest
DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org
DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert
DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key
DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt
DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org
DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert
DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key
DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt
DEBU[0015] Trying to pull docker.squadwars.org/roster from https://docker.squadwars.org v2
WARN[0015] Error getting v2 registry: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority
ERRO[0015] Attempting next endpoint for pull after error: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority

I also tried renaming the cert file from mydomain.org to simply ‘ca.crt’, which the debug log again shows it seeing, but it didn’t have any effect.

I am able to use curl like so:

curl --key client.key --cert client.cert https://docker.squadwars.org/

I can also add the --cacert option to curl, either way works.

The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions:

(Which is probably why I don’t need -cacert with curl, although I’m confused because I’ve since removed the certificate but curl still works).

This is driving me nuts, any help would be greatly appreciated!

Edit: I forgot to add that initially I had the FQDN of the certificate wrong, but it is now ‘docker.squadwars.org’

Hi, I am observing the same problem with self signed certificate generated by below command.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt

mkdir /certs/

docker run -d -p 6000:6000 --restart=always --name registry -v /root/docker/certs:/certs/ -e REGISTRY_HTTP_ADDR=0.0.0.0:6000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2

When I push image to localhost:6000, image gets pushed successfully, but when I start using the domain name, it keeps failing with this reason.

[root@den01swq ~]# docker push domainname.com:6000/my-hello-world
The push refers to a repository [domainname.com:6000/my-hello-world]
Get https://domainname.com:6000/v1/_ping: x509: certificate signed by unknown authority

I dont understand the reason for failure. I followed the steps exactly from below links.

If you haven’t, maybe you can try adding the cert dir (and cert) with the hostname as well as the iP to the /etc/docker/certs.d/ dir.

In case anyone else is having this problem, the solution is:

docker-machine regenerate-certs machine-name

Where machine-name is the name of the machine with bad cert.

[root@localhost Desktop]# docker run -it --rm docker/dtr install \ --dtr-external-url 192.168.1.30:5000 \ --ucp-node localhost.localdomain \ --ucp-username admin \ --ucp-url https://172.17.0.1 \ --ucp-ca "-----BEGIN CERTIFICATE-----
MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
VQQGEwJpbjESMBAGA1UECAwJdGFtaWxuYWR1MRAwDgYDVQQHDAdjaGVubmFpMQ8w
DQYDVQQKDAZ1bm1hc2sxCzAJBgNVBAsMAml0MR4wHAYDVQQDDBVsb2NhbGhvc3Qu
bG9jYWxkb21haW4xIDAeBgkqhkiG9w0BCQEWEXNhbnRodnVAZ21haWwuY29tMB4X
DTE3MTIwMzE1Mzk1NFoXDTE4MTIwMzE1Mzk1NFowgZMxCzAJBgNVBAYTAmluMRIw
EAYDVQQIDAl0YW1pbG5hZHUxEDAOBgNVBAcMB2NoZW5uYWkxDzANBgNVBAoMBnVu
bWFzazELMAkGA1UECwwCaXQxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFp
bjEgMB4GCSqGSIb3DQEJARYRc2FudGh2dUBnbWFpbC5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQCuwkzDQaoWnHfy1wq10T9hNRjvqiqhWFvQF9sX
SFQNNRfHKmHROcH55cje10xXmo63/nj4fqI4G8wXzWOk930HDBqVAjEmBpADhVjD
8MBgJj7oB3hDj6mzQg+Sle/ToMrmPtIyxvVXr5S4ITWzhiMsYANZo5/0fXAQa1Oq
5YR1+tTaDR7FoeGdk9iL5QDccvs3FBsCOPpiE9nSnmMSvDmCl1Jabsl8pXiASs2L
DFS75KE+pdl7gHOWvqdvuvepiqZTGsaXaT0AP4YCJ+KOdQjkHO7zye2WUnyG0hmp
VryOHIKIQ7+/j48zd7861raCum9JxtF+SiLw74rNULN6joqWd/ELP2Fsi0eVUm7E
drua/HCDGFiraFvXdokKiYFr2ShIs9yxUw3z06LpJmnt8MhKONEIAOuUBBn48e7H
/M12ZOr/X5a4zG0wWemktsZAEUCXbwOibtPgjXneoAhvzEsNv/WM2nKFzF2yOwXZ
kFQpuayXdhZj3JQD9/hr2UFWeIgHwaVOTH1m5Amy1UDZnsr5j7y+T/qCswrabLGA
3ViPFLM5r+6XWnFP5A0bBaipjgqunTMxHIe7JDulDzPrpw6mRwoAKyA8vdZPRycq
mi5jQZtKbC5zkWyWbr7d9zyG7S/p8Et1qZrc4dTMQZstsLihlxiq1K96Huu3cEGx
0kDizwIDAQABo1AwTjAdBgNVHQ4EFgQUamPD5vCsKTmiz0F2PsQIbMwMFdcwHwYD
VR0jBBgwFoAUamPD5vCsKTmiz0F2PsQIbMwMFdcwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEATCVxipy23lPvaGGJIHwMx0bbNmfQyGr2LCsavff3FxvN
oT8W/AJdIigcScyQvxKVaGW/6Pht8593IXFpdnsbDbwffgkBeLV6yVVDZ/xmDKar
OioXiBU4fPNbV1G4s7I+XokYp3fKeX+BIpnLr2p8tj3+tdqVgeXpNt95zSWx4myO
iVMW/haxkWVmerWYwYkpFFh4TXFcUTpIJ6Sy4d+Nfk01oPj//Nfm2pEaUbUYWMQX
KmQG9BJnrLRN69mx09BnrpPFAJ+kXAejyqbRDykSOFIIJBwvb7Xss26fV1ThgcUA
+7HrTfudivmQP7+MWOtwnFv3Vdkf3mLggD07cxNB4PnnlurnSa6TrcLgVpj/KwGL
vjz/bCdgdGxATK3CUhvU2weO8Q7qV1BiOO/QOpuppSMJqKn4EIg/ucS4iSO85p4x
cj3m2v2ecMI2LpjG+CrghTI6BfZXYgo23ZzbxX56VysxKqwclzeFNNu1ilYp8bGU
4sfw77L2X5Yphjwk2A1w6EvIhmnOx6bvKh3jTDQTVPzl0rQMxK7Us3RthWAgL19N
23rMDpvHhPyzrEbG2x4YFognMw0LVEN4ySI4wA9EXbEcmm/v4NlqIHA7c+JMez6U
QfzvNQFyzbN1CvfuU+YtrE7Dv01OLXvezSkWtk0ppqfyViWny1TG0le32z5rT10=
-----END CERTIFICATE-----
"INFO[0000] Beginning Docker Trusted Registry installation
ucp-url (The UCP URL including domain and port): ucp-username (The UCP administrator username): ucp-password:
INFO[0000] Validating UCP cert
INFO[0000] Connecting to UCP
FATA[0000] failed to get new conv client: failed to create http client: Failed to get UCP CA: Get https://MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD/ca: dial tcp: lookup MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD: no such host

and with out tsl verification:
docker run -it --rm docker/dtr:2.3.5 install --ucp-node localhost.localdomain --ucp-insecure-tls
INFO[0000] Beginning Docker Trusted Registry installation
ucp-url (The UCP URL including domain and port): https://172.17.0.1
ucp-username (The UCP administrator username): admin
ucp-password:
ucp-password:
ucp-password:
INFO[0023] Validating UCP cert
INFO[0023] Connecting to UCP
FATA[0023] failed to get new conv client: failed to create ucp client from ucp opts: Failed to connect to UCP; make sure that you are using a domain listed in UCP’s TLS certificate’s subject alternate names: Get https://172.17.0.1/_ping: x509: cannot validate certificate for 172.17.0.1 because it doesn’t contain any IP SANs

im having this error. any help…

I ran into the same issue when trying to do a pull from a private registry. I tried to install the certificate on the client and didn’t work, so I deleted it, then I realized that if I stop the docker service that is running as a systemd service, and start the docker daemon by hand with dockerd, I’m able to download the images.

Do you have any clue on why is this happening ?

On Mac, you can add the host to “Insecure registries”:

1. Docker-Desktop Icon -> Preferences -> Daemon
2. “Insecure registries”, click +
3. “your-registry.com” einfügen
4. click “Apply & Restart”

I think it is very late to answer here. But I found the solution to the problem, at least for me. You only need to enter the “registry” URL in the Docker Desktop with the port. Everything under the heading Daemon -> Basic.

perhaps a list of endpoints that produce errors are kept in memory, which is flushed when you restart the system

This issue occurred to me in October 2021.

I found an easy solution. No tinkering required with certificates
I have no idea why they are there, but just remove the docker entries from your hosts file.

Ubuntu: /etc/hosts
macOS: /etc/hosts
Windows: C:\Windows\System32\drivers\etc

Credits to:

How long have I been looking for a solution! Finally it happened, I even signed up to say thank you!

Could you please write here how did you solve the issue? It would be very helpful. Thank you.

If you look at the error message carefully, you can tell it is related to the root cert.
x509:certificate signed by unknown authority.

1. When you try to pull something from docker site , (i.e. docker pull hello-world), it reaches out to docker.io
2. Your computer (most likely Linux) first downloads the cert from the website. If you examine the cert, you can tell it is signed by Zscaler.
3. And there is a good chance your computer (mine is Ubuntu 20.04) is missing the root cert of Zscaler. And you computer is saying “hey, docker.io! You are claiming your cert has been signed by Zscaler. But I don’t know who Zscaler is”

This is how you fix it.

1. Run this command to list the root certs currently installed on your machine.
   sudo update-ca-certificates --fresh (Chances are you won’t see the one for Zscaler).
2. Download Zscaler’s root cert in der format and convert it to pem (but make sure the extension is .crt. Otherwise it won’t work)
3. Copy the crt file (in my case, I named it Zscaler.crt) to /usr/local/share/ca-certificates
4. Run this commad again
   sudo update-ca-certificates --fresh
5. It will read the crt file and add it to the available root cert store on your linux machine.

Try docker pull hello-world again.

1. It will go to docker site and download its cert.
2. Since docker site cert was signed by Zscaler, your computer will check the matching root cert of zscaler.
3. Since your computer now has the file, it will validate the cert (that was signed by Zscaler) is legit and proceed without any errors.