TLS certificate untrusted from dockerized registry container

ronaldblaster · November 20, 2017, 11:16am

Hello,

I have a reccurent on my docker registry container. I use the official image from library/registry:2.3.1. This image needs to send notifications via webhooks to another docker container. webhooks endpoint is over HTTPS and certificates are delivered from an internal PKI.

On both containers, the ca certificate bundle has been added in /usr/share/ca-certificates directory with name cabundle.crt followed by command update-ca-certificates.

If I do a openssl s_client from the registry container: I can see that the proper certificate is presented with the expected certificate chain. But I get the following message:

Verify return code: 21 (unable to verify the first certificate)

Even if I manually add the full ca chain certificate bundled in /etc/ssl/certs/ca-certificates.crt file, I still get that error.

Something that I could have missed here to “force” my registry container to trust the certificate of my notification endpoint?

Thanks!

Ronald

Topic		Replies	Views
How to bypass the CA trust from docker clients to access the docker registry over https/TLS General	3	2806	December 2, 2020
Unable to push/pull to private docker registry over TLS Docker Desktop windows	5	18872	June 13, 2021
How to make a container trust the certs in the host ca-certificate store General docker	0	2324	March 23, 2017
Private registry always returns x509: certificate signed by unknown authority General	3	18910	July 16, 2019
Tls: failed to parse certificate from server: x509: unsupported elliptic curve Docker Engine	2	7867	October 6, 2015

TLS certificate untrusted from dockerized registry container

Related topics