Synology DSM 6.2 will report an error when using docker pull

Docker Hub
1

docker: error pulling image configuration: Get “https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/fa/fa4e316b03c7f160270da448da526c98c19d07fdfb26e1c5e056794ee955817e/data?verify=1715230076-B8Bxe1JQyXZvXJwaILEcMFdNpV4%3D”: x509: certificate has expired or is not yet valid: current time 2024-05-09T11:57:56+08:00 is after 2021-09-30T14:01:15Z.

2

root@NAS:~# docker version
Client:
Version: 20.10.3
API version: 1.41
Go version: go1.15.6
Git commit: b35e731
Built: Fri Jun 18 08:25:45 2021
OS/Arch: linux/amd64
Context: default
Experimental: true

Server:
Engine:
Version: 20.10.3
API version: 1.41 (minimum version 1.12)
Go version: go1.15.6
Git commit: e7f7c95
Built: Fri Jun 18 08:26:10 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.3
GitCommit: b1dc45ec561bd867c4805eee786caab7cc83acae
runc:
Version: v1.0.0-rc93
GitCommit: 89783e1862a2cc04647ab15b6e88a0af3d66fac3
docker-init:
Version: 0.19.0
GitCommit: 12b6a20

root@NAS:~# docker info
Client:
Context: default
Debug Mode: false

Server:
Containers: 18
Running: 14
Paused: 0
Stopped: 4
Images: 28
Server Version: 20.10.3
Storage Driver: btrfs
Build Version: Btrfs v4.0
Library Version: 101
Logging Driver: db
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs db fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b1dc45ec561bd867c4805eee786caab7cc83acae
runc version: 89783e1862a2cc04647ab15b6e88a0af3d66fac3
init version: 12b6a20 (expected: de40ad0)
Security Options:
apparmor
Kernel Version: 3.10.102
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.471GiB
Name: NAS
ID: 2PKX:GCM7:ERIF:DSTN:53WS:EV4S:YCX2:DPAS:SQEH:4FK6:TFI6:B53C
Docker Root Dir: /volume1/@docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: No kernel memory TCP limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No blkio weight support
WARNING: No blkio weight_device support
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

3

You might want to update your DSM version and try again. It could be caused by an outdated certificate store. On Linux this is usually handled by the cacerts package. Since Synology is an appliance, I have no idea how to update the certificate store on it.

For instance, If I curl the domain, the certificate is okay:

me@dsm:~$ curl -v https://production.cloudflare.docker.com
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET / HTTP/2
> Host: production.cloudflare.docker.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/2 403
< date: Thu, 09 May 2024 09:10:09 GMT
< content-type: application/json
< content-length: 55
< server: cloudflare
< cf-ray: 88108e0618c6ca81-HAM
<
{"status":403,"message":"Error: invalid URL signature"}

You can ignore the 403 error, as it is a response from the URL. Your problem is that the client does not even communicate with the url, because it sees an invalid certificate.

4

I tried using curl to test and the results returned are as follows:

root@NAS:/etc/docker# curl -v https://production.cloudflare.docker.com
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
5

Like I thought: the ca certificate (that signed the domain certificate you try to access) in your trust store expired. Which prevents validating the chain of trust. We can’t help you with OS related problem.

You might want to ask the Synology community about it. Though, most likely they will tell you to update your DSM version, like I did in my last post.

6

I have the same issue recently. Do you fix this issue? if so, please share with me.

7

In case I was not clear enough: this is an os problem, not a docker problem.
Docker is just affected by the problem your os has.

8

The issue has not been solved yet. I am planning to upgrade to DSM7, but I am worried about the process.

9

I’ve been having the same issue (running DSM6.2.2) and just found the solution. The problem is with an expired root certificate as explained here: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

The solution that I found is here: Updating CA root certificate bundle on Synology

Apparently as a new user I can only put 2 links in one post so I have to split my reply.

10

Running

openssl s_client -showcerts -connect production.cloudflare.docker.com:443

Resulted in:

CONNECTED(00000003)
depth=4 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

This confirmed the issue was with the older root certificate “DST Root CA X3”

Basically (via SSH) copy the old certificate to a backup location (just in case), pull a new certificate, move it to the correct location and restart the docker daemon:

Connect to the NAS as an administrator via SSH, then:

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup
wget --no-check-certificate https://curl.se/ca/cacert.pem
sudo mv cacert.pem /etc/ssl/certs/ca-certificates.crt
sudo synoservice --restart pkgctl-Docker

Fixed, I can now pull images again!

1 Like
11

Fixed for me. Thanks a lot!