Docker Community Forums

Share and learn in the Docker community.

Docker Private Registry: x509: certificate signed by unknown authority


(Dlynch158) #1

EDIT: Got it working!

I got it working by creating my own certificate authority first as outlined here:

And here:

I’d like to be able to give a better answer but I was following the instructions here:

https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

And it wasn’t working for me. Except for the part about signing the client key. That worked


I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.

The error I’m getting is:

x509: certificate signed by unknown authority

According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:

EBU[0015] Calling POST /v1.24/images/create?fromImage=docker.squadwars.org%2Froster&tag=latest
DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org
DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert
DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key
DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt
DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org
DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert
DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key
DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt
DEBU[0015] Trying to pull docker.squadwars.org/roster from https://docker.squadwars.org v2
WARN[0015] Error getting v2 registry: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority
ERRO[0015] Attempting next endpoint for pull after error: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority

I also tried renaming the cert file from mydomain.org to simply ‘ca.crt’, which the debug log again shows it seeing, but it didn’t have any effect.

I am able to use curl like so:

curl --key client.key --cert client.cert https://docker.squadwars.org/

I can also add the --cacert option to curl, either way works.

The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions:

(Which is probably why I don’t need -cacert with curl, although I’m confused because I’ve since removed the certificate but curl still works).

This is driving me nuts, any help would be greatly appreciated!

Edit: I forgot to add that initially I had the FQDN of the certificate wrong, but it is now ‘docker.squadwars.org


(Mlnsharma) #2

Hi, I am observing the same problem with self signed certificate generated by below command.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt

mkdir /certs/

docker run -d -p 6000:6000 --restart=always --name registry -v /root/docker/certs:/certs/ -e REGISTRY_HTTP_ADDR=0.0.0.0:6000 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2

When I push image to localhost:6000, image gets pushed successfully, but when I start using the domain name, it keeps failing with this reason.

[root@den01swq ~]# docker push domainname.com:6000/my-hello-world
The push refers to a repository [domainname.com:6000/my-hello-world]
Get https://domainname.com:6000/v1/_ping: x509: certificate signed by unknown authority

I dont understand the reason for failure. I followed the steps exactly from below links.



(Clnperez) #3

If you haven’t, maybe you can try adding the cert dir (and cert) with the hostname as well as the iP to the /etc/docker/certs.d/ dir.


(Flawal) #4

In case anyone else is having this problem, the solution is:

docker-machine regenerate-certs machine-name

Where machine-name is the name of the machine with bad cert.


(Santhy) #5

[root@localhost Desktop]# docker run -it --rm docker/dtr install \ --dtr-external-url 192.168.1.30:5000 \ --ucp-node localhost.localdomain \ --ucp-username admin \ --ucp-url https://172.17.0.1 \ --ucp-ca "-----BEGIN CERTIFICATE-----
MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
VQQGEwJpbjESMBAGA1UECAwJdGFtaWxuYWR1MRAwDgYDVQQHDAdjaGVubmFpMQ8w
DQYDVQQKDAZ1bm1hc2sxCzAJBgNVBAsMAml0MR4wHAYDVQQDDBVsb2NhbGhvc3Qu
bG9jYWxkb21haW4xIDAeBgkqhkiG9w0BCQEWEXNhbnRodnVAZ21haWwuY29tMB4X
DTE3MTIwMzE1Mzk1NFoXDTE4MTIwMzE1Mzk1NFowgZMxCzAJBgNVBAYTAmluMRIw
EAYDVQQIDAl0YW1pbG5hZHUxEDAOBgNVBAcMB2NoZW5uYWkxDzANBgNVBAoMBnVu
bWFzazELMAkGA1UECwwCaXQxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFp
bjEgMB4GCSqGSIb3DQEJARYRc2FudGh2dUBnbWFpbC5jb20wggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQCuwkzDQaoWnHfy1wq10T9hNRjvqiqhWFvQF9sX
SFQNNRfHKmHROcH55cje10xXmo63/nj4fqI4G8wXzWOk930HDBqVAjEmBpADhVjD
8MBgJj7oB3hDj6mzQg+Sle/ToMrmPtIyxvVXr5S4ITWzhiMsYANZo5/0fXAQa1Oq
5YR1+tTaDR7FoeGdk9iL5QDccvs3FBsCOPpiE9nSnmMSvDmCl1Jabsl8pXiASs2L
DFS75KE+pdl7gHOWvqdvuvepiqZTGsaXaT0AP4YCJ+KOdQjkHO7zye2WUnyG0hmp
VryOHIKIQ7+/j48zd7861raCum9JxtF+SiLw74rNULN6joqWd/ELP2Fsi0eVUm7E
drua/HCDGFiraFvXdokKiYFr2ShIs9yxUw3z06LpJmnt8MhKONEIAOuUBBn48e7H
/M12ZOr/X5a4zG0wWemktsZAEUCXbwOibtPgjXneoAhvzEsNv/WM2nKFzF2yOwXZ
kFQpuayXdhZj3JQD9/hr2UFWeIgHwaVOTH1m5Amy1UDZnsr5j7y+T/qCswrabLGA
3ViPFLM5r+6XWnFP5A0bBaipjgqunTMxHIe7JDulDzPrpw6mRwoAKyA8vdZPRycq
mi5jQZtKbC5zkWyWbr7d9zyG7S/p8Et1qZrc4dTMQZstsLihlxiq1K96Huu3cEGx
0kDizwIDAQABo1AwTjAdBgNVHQ4EFgQUamPD5vCsKTmiz0F2PsQIbMwMFdcwHwYD
VR0jBBgwFoAUamPD5vCsKTmiz0F2PsQIbMwMFdcwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEATCVxipy23lPvaGGJIHwMx0bbNmfQyGr2LCsavff3FxvN
oT8W/AJdIigcScyQvxKVaGW/6Pht8593IXFpdnsbDbwffgkBeLV6yVVDZ/xmDKar
OioXiBU4fPNbV1G4s7I+XokYp3fKeX+BIpnLr2p8tj3+tdqVgeXpNt95zSWx4myO
iVMW/haxkWVmerWYwYkpFFh4TXFcUTpIJ6Sy4d+Nfk01oPj//Nfm2pEaUbUYWMQX
KmQG9BJnrLRN69mx09BnrpPFAJ+kXAejyqbRDykSOFIIJBwvb7Xss26fV1ThgcUA
+7HrTfudivmQP7+MWOtwnFv3Vdkf3mLggD07cxNB4PnnlurnSa6TrcLgVpj/KwGL
vjz/bCdgdGxATK3CUhvU2weO8Q7qV1BiOO/QOpuppSMJqKn4EIg/ucS4iSO85p4x
cj3m2v2ecMI2LpjG+CrghTI6BfZXYgo23ZzbxX56VysxKqwclzeFNNu1ilYp8bGU
4sfw77L2X5Yphjwk2A1w6EvIhmnOx6bvKh3jTDQTVPzl0rQMxK7Us3RthWAgL19N
23rMDpvHhPyzrEbG2x4YFognMw0LVEN4ySI4wA9EXbEcmm/v4NlqIHA7c+JMez6U
QfzvNQFyzbN1CvfuU+YtrE7Dv01OLXvezSkWtk0ppqfyViWny1TG0le32z5rT10=
-----END CERTIFICATE-----
"INFO[0000] Beginning Docker Trusted Registry installation
ucp-url (The UCP URL including domain and port): ucp-username (The UCP administrator username): ucp-password:
INFO[0000] Validating UCP cert
INFO[0000] Connecting to UCP
FATA[0000] failed to get new conv client: failed to create http client: Failed to get UCP CA: Get https://MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD/ca: dial tcp: lookup MIIF+zCCA+OgAwIBAgIJAJOcgG+xrbw2MA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD: no such host

and with out tsl verification:
docker run -it --rm docker/dtr:2.3.5 install --ucp-node localhost.localdomain --ucp-insecure-tls
INFO[0000] Beginning Docker Trusted Registry installation
ucp-url (The UCP URL including domain and port): https://172.17.0.1
ucp-username (The UCP administrator username): admin
ucp-password:
ucp-password:
ucp-password:
INFO[0023] Validating UCP cert
INFO[0023] Connecting to UCP
FATA[0023] failed to get new conv client: failed to create ucp client from ucp opts: Failed to connect to UCP; make sure that you are using a domain listed in UCP’s TLS certificate’s subject alternate names: Get https://172.17.0.1/_ping: x509: cannot validate certificate for 172.17.0.1 because it doesn’t contain any IP SANs

im having this error. any help…