Error on docker pull after update from Windows 10 to Windows 11

Docker Desktop
1

I’m having problems with Docker since I updated from Windows 10 to Windows 11. Now I can’t download or run any images since the update.

Everything was working fine under Windows 10, but after my Windows 11 update, when I try to do a simple docker pull hello-world, I get this error:

docker: could not validate the path to a trusted root: unable to retrieve valid leaf certificates.

I completely uninstalled Docker Desktop and reinstalled it again, but I still get the error. I am on a personal computer.

I need to fix this issue and be able to download and run images from Docker Hub again.

I did one more test. Using Docker Desktop IDE, I can download hello-world image from the search image menu, and then I can run the container from the containers menu. But if I try that using commands in PowerShell, I get the error mentioned above.

2

I think I saw a similar issue on this forum where I think I even commented, but I could not find now. Maybe I just wanted to comment, but I know @meyay did. Maybe he remembers.

But normally there should be no difference as the docker command communicates with the daemon inside the virtual machine of Docker Desktop that downloads the image, so maybe there is some issues with the authentication process

Even though the hello-world app does not require authentication, it is alo a known issue that Docker Desktop sometimes require logging in or out just to trigger events that update tokens. That would not solve your certificate issue, but you can try to read this guide too for uninstalling Docker Desktop

Docker Desktop works on Windows 11, so there must be some files remaining from the old installation or something is broken with the Winsows 11 installation itself. I don’t know if there is anything to delete from Windows registry, I see people recommening that sometimes, but I never like to manually touch that registry.

3

That didn’t worked for me. I followed all the unistallation steps, and then I reinstalled docker desktop, but I still have the same problem. I can’t understand where the problem is coming from.

Thanks anyway for the help.

4

Please, share the output of

docker info

and

docker version

If you have any private data as IP addresses or usernames, make sure you mask those details before sharing.

If you are using the WSL2 backend, you can try to enable WSL2 integration and run the docker commands from a WSL distribution. If the command doesn’t work from Windows Powershell, hopefully it works from WSL as that gives you a Linux os. When you do something from the GUI of Docker Desktop, most of the things happen in the virtual machine under it. If the command works from WSL, you at least earn some time to figure out the problem in PowerShell and it would also take us closer to where you need to look for configuration issues. If something happened with certificates during Windows upgrade, it is possible that you need to fix the stored CA certificates on Windows. If it doesn’t work from WSL either, there must be something else that is betwen you and Docker Hub

6

Hello,

I have attached requested info.

I’m not sure how to run docker commands from wsl. What I have done is type wsl from powershell in admin mode. Then type any docker command, I get this:

It looks like you have tried to invoke the docker CLI from the docker-desktop WSL2 distribution. This is not supported.

Please invoke the docker CLI from the Windows Command Prompt, PowerShell, or other compatible terminals.

If you wish to interact with Docker Desktop from a third-party WSL2 distribution, such as Ubuntu, please enable the Docker Desktop WSL2 integration for it. See: https://docs.docker.com/desktop/wsl/#enabling-docker-support-in-wsl-2-distros

I have checked the steps in the url, and I would say everything related to WSL is enabled in my docker desktop settings.

How can I fix those stored CA certificates in Windows?

Thanks.

docker_info
docker_info1563×936 31.2 KB

7

…and this is the docker version output. I only can put one attachment for each post.

docker_version
docker_version1586×227 7.61 KB

8

Sorry, I don’t know how to do that, or how to fix stored CA certs… any help with this would be apreciated… :slight_smile:

9

Please, don’t share texts as screenshot. Share as code blocks as you did in your first post or just before the screenshot. Hard to read, impossible to search for and copy or quote important parts. And some users will not even open screenshots for these reasons.

For a reason :slight_smile: It is often not needed at all. Sharing texts as texts in code blocks is the best you can do.

Just as you did.

.I would recheck that as running the docker command in the WSL2 distribution for which WSL2 integration is enabled in Docker Desktop should give you the same output as on Windows or even work better in this case. Make sure the WSL distribution you use is the one for which the integration was enabled. You can try rebooting your machine if needed, but I don’t think that is needed.

In the meantime, you could try loading the following sites from your web browser and from terminal (curl? Invoke-WebRequests in PowerShell?)

  • https://docker.io/
  • https://registry-1.docker.io/

Focus on TLS errors. Any other output or HTTP error code could be fine. Since your error message did not contain which domain was proplematic in the request, it is also possible it was something else to which the request is redirected when you pull the image.

update:

I dont know what went wrong, so I don’t know how you can fix it. not to meniton how hard it was to me to add a custom CA to Windows when I needed and I didn’t understand how it worked eventually, so first you should figure out what TLS is not trusted.

10

Sorry for the screenshots, I’ll share texts next time :slight_smile:

After checking my wsl 2 configuration, all wsl 2 checks are ticked, and docker desktop is using it. And I don’t have any Linux distro installed.

PS C:\WINDOWS\system32> wsl.exe -l -v
  NAME              STATE           VERSION
* docker-desktop    Running         2

And regarding the urls:

PS C:\WINDOWS\system32> curl.exe https://docker.io
PS C:\WINDOWS\system32> curl.exe https://registry-1.docker.io
404 page not found

I am completely lost with it. I’m not any kind of expert in this situations, and I probably don’t know how to do some simple steps that would easily solve the problem.

11

Try these commands instead:

Invoke-WebRequest -Verbose -Debug https://docker.io
Invoke-WebRequest -Verbose -Debug https://registry-1.docker.io/v2

The 2nd command is expected to result in an error.

Still, both commands should indicate whether a problem with the certificates exists.

From what I remember the registries uses certificates issued by the Amazon CA, which is present in every trust store. I doubt the problem is that this CA’s certificate is not present in your trust store. Usually we experience this sort of problems when the security context for the https connection is between client and server, but through a “man in the middle”. For instance, if you are in a network that enforces TLS inspection for https traffic, then you would be in such a situation.

12

Hello,

I am doing all these tests from a home network, so I don’t think my network have any kind of complex configurations or corporate configurations.

Regarding the two commands, the first one gets blocked after two lines and never finish, and the second one results in an error:

PS C:\WINDOWS\system32> Invoke-WebRequest -Verbose -Debug https://docker.io
DETALLADO: GET with 0-byte payload
DETALLADO: received 366058-byte response of content type text/html; charset=UTF-8  

PS C:\WINDOWS\system32> Invoke-WebRequest -Verbose -Debug https://registry-1.docker.io/v2
DETALLADO: GET with 0-byte payload
Invoke-WebRequest : {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
En línea: 1 Carácter: 1
+ Invoke-WebRequest -Verbose -Debug https://registry-1.docker.io/v2
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS C:\WINDOWS\system32>
13

So the TLS works from Windows.

Then I don’t know where you ran the commands previously. I assume from the “docker-dsktop” distribution which is for Dcoekr Desktop not for users. You can install one for you easily

wsl --install Ubuntu-24.04

And enable WSL2 integration for it in Docker Desktop settings if you haven’t done it yet, although you wrote you had everything configured. You can stil double check it after the installation. Then you can try the docker command in the new distribution.

I think you should also enable debug logging in the Docker daemon config json:

https://docs.docker.com/reference/cli/dockerd/#on-linux

{
  "debug": true
}

The docker command has a debug flag as well

docker --debug pull ....

And finally, I would try getting some logs from docker desktop

https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#check-the-logs

I’m not sure which log file would container the relevant logs, but you can find several error log and other log files. I would start with “stderr” files.

14

Good news: after installing Ubuntu-24.04 following your instructions, and then, in docker desktop, going to Settings → Resources → WSL Integration → Ubuntu-24.04 (this check wasn’t there before)… I could do this:

I logued in Ubuntu with this command:

wsl.exe -d Ubuntu-24.04

And then:

sudo docker run hello-world

And it worked!!

And even now I can see my new image and my new container in docker desktop. But it is still not working in powershell, getting the same error.

I would say it is a progress. Should I give up with powershell and work in Ubuntu or do you think there is a solution for powershell?

Thanks a lot. I really apreciate your help.

15

Great. So the Docker client in the WSL2 distribution works, curl with themain registry domains works, but the Docker client on windows don’t.

I don’t know if Docker Desktop has its own cert store for the client. Are you sure you removed all the folders menitoned in the documentation when you uninstalled Docker Desktop?

Quote

After uninstalling Docker Desktop, some residual files may remain which you can remove manually. These are:

C:\ProgramData\Docker
C:\ProgramData\DockerDesktop
C:\Program Files\Docker
C:\Users\<your user name>\AppData\Local\Docker
C:\Users\<your user name>\AppData\Roaming\Docker
C:\Users\<your user name>\AppData\Roaming\Docker Desktop
C:\Users\<your user name>\.docker

If you are sure, and you don’t find someone who knows the way to fix your client in Powershell, the last I can do is recommend the troubleshooting guide again

If you can’t find any sucpicious logs, the guide also shows how you can share the logs with Docker on GitHub.

If using the docker client from WSL is okay for you, that’s fine, but if you have a certificate issue, you could have other issues later, so it could be better solving it now.

16

Yes, I am completely sure I did all those steps.

Regarding the log, I have forced an error in powershell and there is only one file with new lines, and maybe they are sucpicious:

[2025-10-19T14:10:54.808123600Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks","time":"2025-10-19T14:10:31.875796944Z"}
[2025-10-19T14:10:54.808123600Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /images/json","time":"2025-10-19T14:10:31.875819244Z"}
[2025-10-19T14:10:54.809185400Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks (1.2448ms)","time":"2025-10-19T14:10:31.877045844Z"}
[2025-10-19T14:10:54.815486800Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks/3a4ad5a509790daa5f267f4c449f7dd96881929197d369cfb851c714f8e066ad","time":"2025-10-19T14:10:31.882981844Z"}
[2025-10-19T14:10:54.816867500Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks/0cd063ee597cb4cf261ebefb85da0368739b583e1fe97ed4f510a7aa7ef9ee45","time":"2025-10-19T14:10:31.883336944Z"}
[2025-10-19T14:10:54.816867500Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks/3a4ad5a509790daa5f267f4c449f7dd96881929197d369cfb851c714f8e066ad (1.4113ms)","time":"2025-10-19T14:10:31.884394144Z"}
[2025-10-19T14:10:54.817471600Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks/0cd063ee597cb4cf261ebefb85da0368739b583e1fe97ed4f510a7aa7ef9ee45 (1.5354ms)","time":"2025-10-19T14:10:31.884874144Z"}
[2025-10-19T14:10:54.817471600Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks/00bab8cb1fb45cf15a095a6148bd88b560fc38eb6eba8f43ed312ec4b4e95893","time":"2025-10-19T14:10:31.885279744Z"}
[2025-10-19T14:10:54.820490200Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks/00bab8cb1fb45cf15a095a6148bd88b560fc38eb6eba8f43ed312ec4b4e95893 (2.1377ms)","time":"2025-10-19T14:10:31.887422344Z"}
[2025-10-19T14:10:54.879751900Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /images/json (71.4867ms)","time":"2025-10-19T14:10:31.947272444Z"}
[2025-10-19T14:10:55.691914000Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /containers/json?all=true","time":"2025-10-19T14:10:32.759908744Z"}
[2025-10-19T14:10:55.745888600Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /containers/json?all=true (57.3982ms)","time":"2025-10-19T14:10:32.817310244Z"}
[2025-10-19T14:10:56.385887600Z][com.docker.backend.exe.wslengine] {"component":"kmsg","level":"info","msg":"systemd-journald[69]: Time jumped backwards, rotating. (Dropped 11 similar message(s))","time":"2025-10-19T14:10:33.425327914Z"}
[2025-10-19T14:10:59.780681200Z][com.docker.backend.exe.wslengine] {"component":"dockerd","level":"info","msg":"2025/10/19 14:10:36 traces export: rpc error: code = Unimplemented desc = unknown service opentelemetry.proto.collector.trace.v1.TraceService","time":"2025-10-19T14:10:36.820149914Z"}
[2025-10-19T14:11:01.338168300Z][com.docker.backend.exe.wslengine] {"component":"kmsg","level":"info","msg":"systemd-journald[69]: Time jumped backwards, rotating.","time":"2025-10-19T14:10:38.404251523Z"}
[2025-10-19T14:11:06.354030200Z][com.docker.backend.exe.wslengine] {"component":"kmsg","level":"info","msg":"systemd-journald[69]: Time jumped backwards, rotating.","time":"2025-10-19T14:10:43.419483355Z"}
[2025-10-19T14:11:14.240779600Z][com.docker.backend.exe.ipc] (8c68eed9-13) 1713e57e-BackendAPI S<-C 2443b291-time GET /time
[2025-10-19T14:11:14.240779600Z][com.docker.backend.exe.ipc] (8c68eed9-13) 1713e57e-BackendAPI S->C 2443b291-time GET /time (0s): 2025-10-19 16:11:14.2407796 +0200 CEST m=+409.070104701
[2025-10-19T14:11:15.891292200Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e HEAD /_ping","time":"2025-10-19T14:10:52.956226610Z"}
[2025-10-19T14:11:15.891837100Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c HEAD /_ping (959.8µs)","time":"2025-10-19T14:10:52.957185910Z"}
[2025-10-19T14:11:19.776704700Z][com.docker.backend.exe.wslengine] {"component":"dockerd","level":"info","msg":"2025/10/19 14:10:56 traces export: rpc error: code = Unimplemented desc = unknown service opentelemetry.proto.collector.trace.v1.TraceService","time":"2025-10-19T14:10:56.835176120Z"}
[2025-10-19T14:11:42.876111600Z][com.docker.backend.exe.ipc] (8c68eed9-14) 1713e57e-BackendAPI S<-C 2443b291-time GET /time
[2025-10-19T14:11:42.876111600Z][com.docker.backend.exe.ipc] (8c68eed9-14) 1713e57e-BackendAPI S->C 2443b291-time GET /time (0s): 2025-10-19 16:11:42.8761116 +0200 CEST m=+437.705436701
[2025-10-19T14:11:54.811930800Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /images/json","time":"2025-10-19T14:11:31.866468722Z"}
[2025-10-19T14:11:54.811930800Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks","time":"2025-10-19T14:11:31.866488622Z"}
[2025-10-19T14:11:54.814120100Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks (2.0075ms)","time":"2025-10-19T14:11:31.868498622Z"}
[2025-10-19T14:11:54.820260900Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks/3a4ad5a509790daa5f267f4c449f7dd96881929197d369cfb851c714f8e066ad","time":"2025-10-19T14:11:31.874182022Z"}
[2025-10-19T14:11:54.820260900Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks/0cd063ee597cb4cf261ebefb85da0368739b583e1fe97ed4f510a7aa7ef9ee45","time":"2025-10-19T14:11:31.874197222Z"}
[2025-10-19T14:11:54.820856100Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /networks/00bab8cb1fb45cf15a095a6148bd88b560fc38eb6eba8f43ed312ec4b4e95893","time":"2025-10-19T14:11:31.874773222Z"}
[2025-10-19T14:11:54.820856100Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks/3a4ad5a509790daa5f267f4c449f7dd96881929197d369cfb851c714f8e066ad (1.2063ms)","time":"2025-10-19T14:11:31.875388522Z"}
[2025-10-19T14:11:54.821368500Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks/0cd063ee597cb4cf261ebefb85da0368739b583e1fe97ed4f510a7aa7ef9ee45 (1.5124ms)","time":"2025-10-19T14:11:31.875711722Z"}
[2025-10-19T14:11:54.821368500Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /networks/00bab8cb1fb45cf15a095a6148bd88b560fc38eb6eba8f43ed312ec4b4e95893 (940.6µs)","time":"2025-10-19T14:11:31.875716122Z"}
[2025-10-19T14:11:54.882214400Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /images/json (70.8313ms)","time":"2025-10-19T14:11:31.937316322Z"}
[2025-10-19T14:11:55.695988700Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003e\u003e GET /containers/json?all=true","time":"2025-10-19T14:11:32.750755522Z"}
[2025-10-19T14:11:55.742727000Z][com.docker.backend.exe.wslengine] {"component":"apiproxy","level":"info","msg":"\u003c\u003c GET /containers/json?all=true (47.3812ms)","time":"2025-10-19T14:11:32.798140422Z"}
[2025-10-19T14:11:56.461837000Z][com.docker.backend.exe.wslengine] {"component":"kmsg","level":"info","msg":"systemd-journald[69]: Time jumped backwards, rotating. (Dropped 11 similar message(s))","time":"2025-10-19T14:11:33.526886828Z"}
[2025-10-19T14:11:58.473995900Z][com.docker.backend.exe.wslengine] {"component":"dockerd","level":"info","msg":"2025/10/19 14:11:35 traces export: rpc error: code = Unimplemented desc = unknown service opentelemetry.proto.collector.trace.v1.TraceService","time":"2025-10-19T14:11:35.537726828Z"}
[2025-10-19T14:12:01.474264900Z][com.docker.backend.exe.wslengine] {"component":"kmsg","level":"info","msg":"systemd-journald[69]: Time jumped backwards, rotating.","time":"2025-10-19T14:11:38.537149069Z"}
[2025-10-19T14:12:06.470877500Z][com.docker.backend.exe.wslengine] {"component":"kmsg","level":"info","msg":"systemd-journald[69]: Time jumped backwards, rotating.","time":"2025-10-19T14:11:43.537097045Z"}
[2025-10-19T14:12:12.879180100Z][com.docker.backend.exe.ipc] (8c68eed9-15) 1713e57e-BackendAPI S<-C 2443b291-time GET /time
[2025-10-19T14:12:12.879180100Z][com.docker.backend.exe.ipc] (8c68eed9-15) 1713e57e-BackendAPI S->C 2443b291-time GET /time (0s): 2025-10-19 16:12:12.8791801 +0200 CEST m=+467.708505201

I will check how to share them.

Thanks again.

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.