Docker Community Forums

Share and learn in the Docker community.

Private registry always returns x509: certificate signed by unknown authority

Hello all
I am trying to get a private registry working but struggle to get my certificate accepted by docker.
My setup is as follows:

  • Docker on RHEL 7 (called host)
  • Nexus 3 on host with a docker repository
  • nginx on host
  • nginx reverse proxy forwards to nexus docker repository
  • nginx uses a custom signed certificate for ssl, this certificate consists of a root ca, intermediate ca and the host certificate

The setup above should work correctly.
The problem I now have is that I always get x509: certificate signed by unknown authority when I try to login to the registry.
I tried putting one / all / a merged certificate into /etc/docker/certs.d/<registry:port> and installing the certificates on the host (and also on another ubuntu based docker host) without any success. I am not able to login,
Checking the registry url with openssl with openssl s_client -showcerts -connect <registry:port> returns Verification OK
Is there any way to debug docker daemon to find out why it is not able to correcly verify the certificate? I am pretty much stuck and already tried for hours :frowning:
Thank you for your help!

For myself I’ve been able to setup the trust by importing the CA cert into the clients local cert store and updating the trust:

  1. Copy your CA cert to a pem file here, on the machine acting as client: /etc/pki/ca-trust/source/anchors
  2. Update certificate trust: sudo update-ca-trust
  3. Restart docker on your client, to allow the trust to take effect: systemctl restart docker

I copied the root ca, the intermediate ca and a chain (host certificate > intermediate > root) there, renamed all to .pem, updated the certificate trust and restarted the docker daemon, still the same issue :frowning:

Gaaaaah after hours I found out that the issue was that in the docker daemon proxy config (/etc/systemd/system/docker.service.d/http-proxy.conf) I had a wildcard as no proxy:
NO_PROXY=*.mydomain.com
I changed that to:
NO_PROXY=mydomain.com"
Now it works as it should!

1 Like