Docker Community Forums

Share and learn in the Docker community.

Pull hello-world returns x509: certificate signed by unknown authority


#1

Issue type: cannot pull

OS: Microsoft Windows [Version 10.0.16299.904]

Docker Desktop Community version 2.0.0.2 (30215) Channel:stable Build:0b030e1

There is a proxy involved in my environment which is correctly configured for Docker Desktop (without that the response to command was that authentication is required).

Issue command: docker pull-hello-world.

Response:

Using default tag: latest
latest: Pulling from library/hello-world
1b930d010525: Pulling fs layer
error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/fc/fce2
: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “MyCompany WebGateway CA”)

Per:

Starting with Docker Desktop for Windows 1.12.1, 2016-09-16 (Stable) and Beta 26 (2016-09-14 1.12.1-beta26), all trusted Certificate Authorities (CA) (root or intermediate) are supported. Docker recognizes certs stored under Trust Root Certification Authorities or Intermediate Certification Authorities.

This doesn’t appear to be the case as I have verified that proxy certificates are both in Root and Intermediate locations.

Googling on this error I have found a lot of information but, sadly, none of it seems relevant to my case.


(Metin Y.) #2

Are you running a private repository? Or is the url from above a CDN used by docker hub?

When a certificate for a private registry is signed by an unknown CA (Root-CA and all intermediate CA’s or at least part of the chain), you need to import the certificate chain in order to permit TLS certificate validation.


#3

No, it is not a private repository. This is first time use after installing Docker Desktop. I just started playing with docker on my office Windows 10 machine and am not proficient enough to create or use private repositories at this time.


(Metin Y.) #4

It seems like either the CDN serves a certificate signed by a CA that pretty much looks self signed "MyCompany WebGateway CA”. You don’t happen to have a proxy server in your communication that terminates tls, inspects the payload and establishes a new security context from the proxy to your machine?

What do you mean by “I have verified that proxy certifiactes are both in Root and Intermediate locations”?


#5

The certificate in question is my office proxy certificate. Yes, it is self signed.
This is what was supposedly resolved starting with Docker Desktop for Windows 1.12.1, 2016-09-16 (Stable) per FAQ that I cited above.

It says, quoting:

Docker Desktop for Windows creates a certificate bundle of all user-trusted CAs based on the Windows certificate store, and appends it to Moby trusted certificates. So if an enterprise SSL certificate is trusted by the user on the host, it is trusted by Docker Desktop for Windows.

What I mean by ‘I have verified that proxy certifictes are both in Root and Intermediate locations’ is that I opened Google browser Settings/Advanced/Manage certificates dialog and verified that the proxy certificate, the one mentioned in the error response to docker pull hello-world, is indeed present in Trust Root Certification Authorities or Intermediate Certification Authorities as required by FAQ.

I tried copying the certificate to various other locations, per some older discussions that I found googling and at Docker Github, like C:\Users\me\.docker\certs.d, or in C:\ProgramData\DockerDesktop but that didn’t help.

As for your question about how the office proxy works, I really don’t know. I would have to ask. Can you please provide more details on that so that I can ask the right questions from our IT? All I know is that it is McAffe NTLM proxy.


(Metin Y.) #6

The provided details are sufficient to understand that the error is caused by missing you corporates proxy CA certificate in your os’es truststore. The companies proxy obivously terminates TLS and creates a new security context, which is what causes your problem.

As i don’t use chrome, I am not aware if it directly uses the os’es truststore. Though the internet explorer definitly uses it. I would suggest to check if the certificate exists in IE.

Did you restart the docker service after placing the certificate in the truststore? If not, do so :slight_smile:


(Fsejoseph) #7

Proxy Issue? https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon


#8

The certificate was already in Root location, which should be enough per FAQ. Just to be on the safe side, I copied it to Intermediate one. Chrome was just a convenient way to view the certificate store but I can view it using Windows standard MMC snapin as well.
Yeah, restarted Docker Desktop like 15 times, even rebooted a few times :disappointed_relieved:

Since the error response mentions exactly the name of the proxy certificate as it is in the certificate store, I don’t think it is missing - it is however self-signed and someone/something doesn’t like that.

Command like:

docker search sql

on the other hand, works just fine.


#9

It is ‘great’ how up-to-date Microsoft documentation is.
For example the link mentions:

‘C:\ProgramData\Docker\config\daemon.json’

That folder doesn’t exist.

There is C:\ProgramData\DockerDesktop when you install Docker Desktop.

So, really, at this point I don’t understand what is one supposed to install, from where, to get docker for Windows working on Windows 10?

I installed Docker Desktop for Windows 2.0.0.2 and am trying to pull a simple container.

The link above eventually points to:


which is all about installing Windows docker containers on Windows Server 2016.

I am not interested in Windows Server 2016, at this point but just want to run a simple container on Windows 10 using Docker Desktop.