Error pulling image configuration: tls: failed to verify certificate: x509: certificate signed by unknown authority

jankiex · September 2, 2025, 11:18am

Hello,

I am currently trying to install Vaultwarden on a Debian 12 VM (HyperV).

First I got the following error message with curl -fsSL https://get.docker.com -o get-docker.sh && sudo sh ./get-docker.sh

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I was able to fix this by running

openssl s_client -connect registry-1.docker.io:443 -showcerts

and then copying out the range from (and included) -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

I pasted this into sudo nano /usr/local/share/ca-certificates/docker_cert_manuell.crt and ran sudo update-ca-certificates. Then I was able to run curl -fsSL https://get.docker.com -o get-docker.sh && sudo sh ./get-docker.sh successfully.

Then I wrote my docker-compose.yaml:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      #DOMAIN: "https://passwortserver.meine-firma.de"
      SIGNUPS_ALLOWED: "true"
    volumes:
      - ./data:/data
    ports:
      - 80:80

Now I always get the following error message with docker compose up -d:

[+] Running 0/6
 ⠦ vaultwarden [⠀⠀⠀⠀⠀] Pulling                                                                                                                                                                              8.6s
   ⠙ 59e22667830b Retrying in 1 second                                                                                                                                                                      6.1s
   ⠙ cc18e03c8cd8 Retrying in 1 second                                                                                                                                                                      6.1s
   ⠙ f6e0865da50e Retrying in 1 second                                                                                                                                                                      6.1s
   ⠙ 6bec2bc6dc05 Waiting                                                                                                                                                                                   6.1s
   ⠙ aa7aba5b8287 Waiting                                                                                                                                                                                   6.1s
error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate signed by unknown authority

I’ve also already tried to write

{
  "insecure-registries" : ["registry-1.docker.io"]
}

at /etc/docker/daemon.json

I also added the certificate from openssl s_client -connect registry-1.docker.io:443 -showcerts at sudo nano /etc/docker/certs.d/registry-1.docker.io/ca.crt and restarted docker, unfortunately also without success.

Do any of you have any ideas as to why this could be? or what I can do?

meyay · September 2, 2025, 8:34pm

Wouldn’t the first step to figure out why your system doesn’t trust the certificate in the first place, instead of fetching whatever certificate your system gets presented and trusting it blindly?

Wasn’t the ca-certificates packges installed, or is it outdated?

For all we know this could be a man in the middle attack, and you legitimated an attack…

What you did make sense if your network uses tls inspection, but would be worrisome if it’s not the case.

For the rest of this post, I will assume that you network enforces tls inspection.

Instead of adding the services certificate to your trust store, you will want to use the certificate of the ca used by the security appliance to issue the ad-hoc certificates the clients see.

When it comes to image pulling:

It is not advised to add a remote registry as insecure registry, instead you can add the ca certificate used by the security appliance to issue the ad-hoc certificates the clients see like this:

>A secure registry uses TLS and a copy of its CA certificate is placed on the Docker host at /etc/docker/certs.d/myregistry:5000/ca.crt.

source: https://docs.docker.com/reference/cli/dockerd/#insecure-registries

Thus, you would need to create the directory /etc/docker/certs.d/registry-1.docker.io and add the file ca.crtwith the ca certificate.

Note: I don’t recall if the docker service needs to be restarted after the ca certificate is placed in the folder

jankiex · September 3, 2025, 5:46am

Hello Metin,

thanks for your answer.

The ca-certifactes packages is up to date:

Package: ca-certificates
Version: 20230311+deb12u1

I think I mistakenly saved the Docker certificate under /etc/docker/certs.d/registry-1.docker.io/ca.crt. So instead of the Docker certificate, should I have saved the certificate from the Docker certificate’s certification authority there?

You wrote “instead you can add the ca certificate used by the security appliance” where can I get this certificate?

What surprises me is that it worked on my computer with HyperV, but now I’m trying it on the server where all our HyperV instances are located, and the error appears there.

meyay · September 3, 2025, 6:15am

Please make sure you set the question in the right context: this is when you are affected by tls inspection (which usually implies a corporate network). Typically, your helpdesk should be able to provide the ca certificates, or hint you in the right direction.

Your system should already know the ca from ca-certificates.

jankiex · September 3, 2025, 6:47am

Ahhhhh okay now I understand. Thank you Very much!!

[+] Running 6/6
 ✔ vaultwarden Pulled                                                                                             22.4s
   ✔ 59e22667830b Pull complete                                                                                   15.5s
   ✔ cc18e03c8cd8 Pull complete                                                                                   18.5s
   ✔ f6e0865da50e Pull complete                                                                                   18.5s
   ✔ 6bec2bc6dc05 Pull complete                                                                                   19.4s
   ✔ aa7aba5b8287 Pull complete                                                                                   19.9s
[+] Running 2/2
 ✔ Network vaultwarden_default  Created                                                                            0.1s
 ✔ Container vaultwarden        Started                                                                            0.7s

system · October 3, 2025, 6:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
x509: certificate signed by unknown authority General	6	16675	November 25, 2014
docker and TLS certificate General	1	4998	November 21, 2021
Certificate error when pulling images General	1	1891	March 11, 2022
Redhat docker pulling error x509: certificate signed by unknown authority General	1	3277	May 9, 2018
Secure Registry but x509: certificate signed by unknown authority Docker Hub docker	2	5984	November 16, 2018

Error pulling image configuration: tls: failed to verify certificate: x509: certificate signed by unknown authority

Related topics