Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 99.84.192.50 443]
Reading package lists… Done
W: Failed to fetch https://download.docker.com/linux/ubuntu/dists/jammy/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 99.84.192.50 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
If you followed the instructions to install the Docker Engine (docker-ce) on Install Docker Engine on Ubuntu, it should work. In your case, it looks like step 2. and 3. of the installation instructions might not be done properly.
The tutorial you followed is high likely outdated (I haven’t read it, just saw it is from 2021) If you want docker-ce on WSL2, then you will want to enable systemd support in Ubuntu (see: Systemd support is now available in WSL! - Windows Command Line).
If enabling systemd causes problems → update your wsl installation to the latest version (wsl --update).
Thank you! I checked out the installation instructions. They look a bit different from what I did initially. However, when I follow them, I end up with:
Self-signed certificate encountered.
To connect to download.docker.com insecurely, use `–no-check-certificate’.
This shouldn’t be necessary. The domain uses a certificate from a well known CA (Amazon Root CA 1) and is included in every recent browser and ca truststore there is.
Note: the repo is exposed through CloudFront, which will resolve to the closest aws edge location. The curl command from aboves helps us to see the response from your edge location.
SSL certificate problem: self-signed certificate in certificate chain
Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
what’s the output of openssl s_client -connect download.docker.com:443 </dev/null 2>/dev/null | openssl x509 -inform pem -text
if the issuer from 1. output is listed in the output of awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
If your company enforces TLS/SSL-Inspection, the security context of https-requests will be terminated in a security appliance, which will establish a new security context between the appliance and the target. Your client needs to be able to validate the certificate the security appliance creates on the fly.
You will need to import the ca-certificate used by the appliance to create the on-the-fly certificates in your WSL distribution. Your it-department should be able to tell you which certificate needs to imported.
Another issue could be that the vpn connections potentially alters required routes. Depending on the configuration it could affect all traffic or just the traffic to the WSL ip range.
