Docker Private Registry: x509: certificate signed by unknown authority

EDIT: Got it working!

I got it working by creating my own certificate authority first as outlined here:

And here:

I’d like to be able to give a better answer but I was following the instructions here:

And it wasn’t working for me. Except for the part about signing the client key. That worked

I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.

The error I’m getting is:

x509: certificate signed by unknown authority

According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:

EBU[0015] Calling POST /v1.24/images/create?
DEBU[0015] hostDir: /etc/docker/certs.d/
DEBU[0015] cert: /etc/docker/certs.d/
DEBU[0015] key: /etc/docker/certs.d/
DEBU[0015] crt: /etc/docker/certs.d/
DEBU[0015] hostDir: /etc/docker/certs.d/
DEBU[0015] cert: /etc/docker/certs.d/
DEBU[0015] key: /etc/docker/certs.d/
DEBU[0015] crt: /etc/docker/certs.d/
DEBU[0015] Trying to pull from v2
WARN[0015] Error getting v2 registry: Get x509: certificate signed by unknown authority
ERRO[0015] Attempting next endpoint for pull after error: Get x509: certificate signed by unknown authority

I also tried renaming the cert file from to simply ‘ca.crt’, which the debug log again shows it seeing, but it didn’t have any effect.

I am able to use curl like so:

curl --key client.key --cert client.cert

I can also add the --cacert option to curl, either way works.

The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions:

(Which is probably why I don’t need -cacert with curl, although I’m confused because I’ve since removed the certificate but curl still works).

This is driving me nuts, any help would be greatly appreciated!

Edit: I forgot to add that initially I had the FQDN of the certificate wrong, but it is now ‘

Hi, I am observing the same problem with self signed certificate generated by below command.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt

mkdir /certs/

docker run -d -p 6000:6000 --restart=always --name registry -v /root/docker/certs:/certs/ -e REGISTRY_HTTP_ADDR= -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2

When I push image to localhost:6000, image gets pushed successfully, but when I start using the domain name, it keeps failing with this reason.

[root@den01swq ~]# docker push
The push refers to a repository []
Get x509: certificate signed by unknown authority

I dont understand the reason for failure. I followed the steps exactly from below links.

If you haven’t, maybe you can try adding the cert dir (and cert) with the hostname as well as the iP to the /etc/docker/certs.d/ dir.

1 Like

In case anyone else is having this problem, the solution is:

docker-machine regenerate-certs machine-name

Where machine-name is the name of the machine with bad cert.

[root@localhost Desktop]# docker run -it --rm docker/dtr install \ --dtr-external-url \ --ucp-node localhost.localdomain \ --ucp-username admin \ --ucp-url \ --ucp-ca "-----BEGIN CERTIFICATE-----
"INFO[0000] Beginning Docker Trusted Registry installation
ucp-url (The UCP URL including domain and port): ucp-username (The UCP administrator username): ucp-password:
INFO[0000] Validating UCP cert
INFO[0000] Connecting to UCP
FATA[0000] failed to get new conv client: failed to create http client: Failed to get UCP CA: Get https://MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD/ca: dial tcp: lookup MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD: no such host

and with out tsl verification:
docker run -it --rm docker/dtr:2.3.5 install --ucp-node localhost.localdomain --ucp-insecure-tls
INFO[0000] Beginning Docker Trusted Registry installation
ucp-url (The UCP URL including domain and port):
ucp-username (The UCP administrator username): admin
INFO[0023] Validating UCP cert
INFO[0023] Connecting to UCP
FATA[0023] failed to get new conv client: failed to create ucp client from ucp opts: Failed to connect to UCP; make sure that you are using a domain listed in UCP’s TLS certificate’s subject alternate names: Get x509: cannot validate certificate for because it doesn’t contain any IP SANs

im having this error. any help…

I ran into the same issue when trying to do a pull from a private registry. I tried to install the certificate on the client and didn’t work, so I deleted it, then I realized that if I stop the docker service that is running as a systemd service, and start the docker daemon by hand with dockerd, I’m able to download the images.

Do you have any clue on why is this happening ?

1 Like

On Mac, you can add the host to “Insecure registries”:

  1. Docker-Desktop Icon -> Preferences -> Daemon
  2. “Insecure registries”, click +
  3.” einfügen
  4. click “Apply & Restart”

I think it is very late to answer here. But I found the solution to the problem, at least for me. You only need to enter the “registry” URL in the Docker Desktop with the port. Everything under the heading Daemon -> Basic.

perhaps a list of endpoints that produce errors are kept in memory, which is flushed when you restart the system

This issue occurred to me in October 2021.

I found an easy solution. No tinkering required with certificates
I have no idea why they are there, but just remove the docker entries from your hosts file.

Ubuntu: /etc/hosts
macOS: /etc/hosts
Windows: C:\Windows\System32\drivers\etc

Credits to:


How long have I been looking for a solution! Finally it happened, I even signed up to say thank you!

Could you please write here how did you solve the issue? It would be very helpful. Thank you.

1 Like

If you look at the error message carefully, you can tell it is related to the root cert.
x509:certificate signed by unknown authority.

  1. When you try to pull something from docker site , (i.e. docker pull hello-world), it reaches out to
  2. Your computer (most likely Linux) first downloads the cert from the website. If you examine the cert, you can tell it is signed by Zscaler.
  3. And there is a good chance your computer (mine is Ubuntu 20.04) is missing the root cert of Zscaler. And you computer is saying “hey,! You are claiming your cert has been signed by Zscaler. But I don’t know who Zscaler is”

This is how you fix it.

  1. Run this command to list the root certs currently installed on your machine.
    sudo update-ca-certificates --fresh (Chances are you won’t see the one for Zscaler).
  2. Download Zscaler’s root cert in der format and convert it to pem (but make sure the extension is .crt. Otherwise it won’t work)
  3. Copy the crt file (in my case, I named it Zscaler.crt) to /usr/local/share/ca-certificates
  4. Run this commad again
    sudo update-ca-certificates --fresh
  5. It will read the crt file and add it to the available root cert store on your linux machine.

Try docker pull hello-world again.

  1. It will go to docker site and download its cert.
  2. Since docker site cert was signed by Zscaler, your computer will check the matching root cert of zscaler.
  3. Since your computer now has the file, it will validate the cert (that was signed by Zscaler) is legit and proceed without any errors.