Failed to authorize - gitea when pushing an image - failed to verify certificate

I m trying to push an image to private repos/registry a follows
docker push https://gitea.cnoe.localtest.me:8443/giteaadmin/ubuntu:24.04
I get

The push refers to repository [gitea.cnoe.localtest.me:8443/giteaadmin/ubuntu]
ff65ddf9395b: Unavailable
failed to authorize: failed to fetch oauth token: Post “https://gitea.cnoe.localtest.me:8443/v2/token”: tls: failed to verify certificate: x509: certificate signed by unknown authority

I tried to disable tls verification by running
export DOCKER_TLS_VERIFY=
but it did not help.

I understand from docker | Docker Docs that we can definne the path to access a local cert file, I have extracted 2 files from the plateform named them tls.key and tls.crt but a little bit confused on how to configure them with docker desktop on fedora. While googling I understood that in some case certificate should be placed in /etc/docker/cert.d , I checked there is no directory in the file system

Hi @rimelek, any feedback on this?

I didn’t need to configure these certs yet and I ndon’t use gitea, that is why I didn’t respond. Hopefully someone will see your post who can give you a better answer. Note that the topic will be automatically closed after 10 days inactivity, so if you have no answer until that, you can send a new reminder post if you still need help, but no need to mention anyone.

But rimelek, yes I am tryingt with gitea but my question is not specific really to gitea.
Let me rephrase teh question : how can we disable tls verification when using docker (push or any other command)?
I have another VM where I have podman, I easly can do
podman push --verifytls=false

so how can this be done with docker in general? Or what are the steps to configure 1 or 2 certificate for 2 different repos to be used with docker command?

I understand that you want to configure the ca certificate, used to issue the server certificate used by the registry, in Docker Desktop for Windows:
https://docs.docker.com/desktop/troubleshoot-and-support/faqs/windowsfaqs/#how-do-i-add-custom-ca-certificates

Update: I should have read more careful. You want it for Docker Desktop for Linux.

gitea is not really relevant, I just shared I didn’t use that either. The important part in my reply is that I never needed to do anything with the certs yet, and I didn’t write, but I didn’t have time to start to learn about it :slight_smile: And I also didn’t notice that you were writing about Docker Desktop which I barely use on Linux anyway.

Thanks meyay, yes it is on linux fedora, I visited the url, not sure I understand the naming convention

~/.docker/certs.d//client.cert

There is no example. so if my registry is salam.registry:8443, so I imagine according to the convention it should be

~/.docker/certs.d/salam.registry:8443/client.crt

Is this the right way? can we use “:
Also I need to create manually the folder certs.d?

You scrolled past the relevant part:

Docker Desktop creates a certificate bundle of all user-trusted CAs based on the Windows certificate store, and appends it to Moby trusted certificates. Therefore, if an enterprise SSL certificate is trusted by the user on the host, it is trusted by Docker Desktop.

So if it works on Linux the same way it does on Windows, then adding the certificate of the CA (used to create the server certificate) to the truststore of the os should do the trick.

According google you need to place the ca certificate in pem format in the /etc/pki/ca-trust/source/anchors folder and execute sudo update-ca-trust to update the certificate store. Then restarting Docker Desktop will tell you whether it worked or not.

In case this doesn’t work I suggest raising an issue about the missing documentation for Docker Desktop for Linux: GitHub · Where software is built

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.