Tls: failed to verify certificate: x509

Hello, I’m running WSL2 on Windows10 and I have installed Docker Engine on Ubuntu (Jammy 22.0.4) following the guide on Docker site

When I try to verify that the Docker Engine installation is successful by running the hello-world image

$ sudo docker run hello-world

I received this error

Unable to find image ‘hello-world:latest’ locally
docker: Error response from daemon: Get “https://registry-1.docker.io/v2/”: tls: failed to verify certificate: x509: certificate signed by unknown authority.
See ‘docker run --help’.

And the same if I try to run other docker images, like Kafka +Zookeper

docker-compose up -d

I get

Pulling zookeeper (confluentinc/cp-zookeeper:latest)…
ERROR: Get “https://registry-1.docker.io/v2/”: tls: failed to verify certificate: x509: certificate signed by unknown authority

I have tried with my own network and with the company’s one, with and without VPN.

Could you help me? Thanks

How did you install the Docker Engine exactly?

What do you get when you run the following command?

curl -vvvv https://registry-1.docker.io

you can check the certificate this way:

openssl s_client -showcerts -connect registry-1.docker.io:443 </dev/null

Please use code blocks as described here: How to format your forum posts

You can also check if you have an antivirus on the host. Recently I found out that the ESET antivirus can replace the original certificates with its own cert and cause issues in command line while web browsers accept it.

1 Like

Hello I get the same kind of error when pulling images from the Hub:

pi@DockerPi:~ $ curl -vvvv https://registry-1.docker.io
*   Trying [2600:1f18:2148:bc00:41e1:f57f:e2e2:5e54]:443...
* Connected to registry-1.docker.io (2600:1f18:2148:bc00:41e1:f57f:e2e2:5e54) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Oct  2 00:00:00 2023 GMT
*  expire date: Oct 31 23:59:59 2024 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< content-type: text/plain; charset=utf-8
< docker-distribution-api-version: registry/2.0
< x-content-type-options: nosniff
< date: Tue, 23 Jan 2024 19:56:11 GMT
< content-length: 19
< strict-transport-security: max-age=31536000
<
404 page not found
* Connection #0 to host registry-1.docker.io left intact
pi@DockerPi:~ $ docker pull hello-world
Using default tag: latest
Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
pi@DockerPi:~ $ openssl s_client -showcerts -connect registry-1.docker.io:443 </dev/null
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = *.docker.com
verify return:1
---
Certificate chain
 0 s:CN = *.docker.com
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  2 00:00:00 2023 GMT; NotAfter: Oct 31 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
MIIGXzCCBUegAwIBAgIQCE156iNdbf8JCmdLBJvaIjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMTAwMjAwMDAwMFoXDTI0MTAzMTIzNTk1OVowFzEV
MBMGA1UEAwwMKi5kb2NrZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAmCP2/2lIdGLqjZoiSX7EGX/TNl5h49u4/iecKf4xRqxLzt9aUJptiROX
fYV5gUMfmbnKV1qjiR6DOOKZ7C6/gMIIKVqDIkbMCxjs4b7hH61XcXuyRBZHphyn
5CiQ5fCsayJfyjnOJUrn0EwyUyzete2eSF99L7SHk4rVfG1XVyPxS5JVK1Hzd/lB
qFiXAzrDrHHiFs+L3ESpTI204knV7y++e5bDcdfYxLx59TpHEQcqzRp8zVOKayRO
jHj5maczdXN11PCpmXknlIcuXQVCl04gbQepAtlJTIXh1UugCEvjGbv49+cD/iVp
W9zxIN9vaYu4T4cfGQO6ef2J8HYcUwIDAQABo4IDgDCCA3wwHwYDVR0jBBgwFoAU
gbgOY4qJEhjl+js7UJWf5uWQE4UwHQYDVR0OBBYEFGn1KBnm0DAYaxWABU0NvBZV
Ua3EMIGuBgNVHREEgaYwgaOCDCouZG9ja2VyLmNvbYIKZG9ja2VyLmNvbYIQKi5o
dWIuZG9ja2VyLmNvbYITKi5kb2NrZXJwcm9qZWN0Lm9yZ4IJZG9ja2VyLmlvggsq
LmRvY2tlci5pb4ISKi5jbG91ZC5kb2NrZXIuY29tghoqLm1hc3Rlci5kb2NrZXJw
cm9qZWN0Lm9yZ4IYKi5jbG91ZC1zdGFnZS5kb2NrZXIuY29tMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5yMm0wMS5hbWF6
b250cnVzdC5jb20vcjJtMDEuY3JsMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcw
AYYhaHR0cDovL29jc3AucjJtMDEuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAC
hipodHRwOi8vY3J0LnIybTAxLmFtYXpvbnRydXN0LmNvbS9yMm0wMS5jZXIwDAYD
VR0TAQH/BAIwADCCAYEGCisGAQQB1nkCBAIEggFxBIIBbQFrAHcA7s3QZNXbGs7F
XLedtM0TojKHRny87N7DUUhZRnEftZsAAAGK7sUNmAAABAMASDBGAiEAv3UFBgu+
AkX7PXiOEZ6DBar4qf9MDo3JmAg+sMcNUawCIQCvdtis/G4/AFAOr9cYPKm265sU
Mq80rAXc5ulITSfOLgB3AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRz
AAABiu7FDccAAAQDAEgwRgIhAPNIzKgm7X12iZI1Tow2srG8guulawJV6JWuNMig
dcWzAiEAugLuchDEQwSr16Svj2E8l+pJ4+D5BZQNh0gO/eyRahMAdwDatr9rP7W2
Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYruxQ2dAAAEAwBIMEYCIQDkKE6U
wOUzy9chy/WtaXG5fNK3gVEYQ9neqiNC/795wAIhANsU0WCJVGQFEVA9MMM1wRyk
4APqrbYHZYdJLBrcub8MMA0GCSqGSIb3DQEBCwUAA4IBAQAEpkfyiw68ZlcgDJo/
pryrEtJ5Z4pqW1yk0GEP2WJ9PXyTZicRi7U+gaahpovy89SYnMBeH3zhYT1UKp3G
PzCQNsnPD606F4Q3vlJfz7+PlycvSYEbxLbxvb53SyTw5TWOIfeSQSQrI0/hCRf2
w2CISXtNOilRMP36buT8oz1TZirHJSpGZRe0NUzhuw2cmzeRUILJ+QvLAzEK49Vn
zCy5azGAv6EzAcXY7cIMByacfNtTR2nhA/r2dktcNTpMpLdQ43NJGemctXaDpXMb
hxQvMIK3itct8JQqHtSKLIsJphzgMTrDCXhV1o7zv7zm5SpfvUf4G4GAHeCKyKD0
fTe8
-----END CERTIFICATE-----
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:21:28 2022 GMT; NotAfter: Aug 23 22:21:28 2030 GMT
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgITB3MSOAudZoijOx7Zv5zNpo4ODzANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjEyOFoXDTMwMDgyMzIyMjEyOFowPDEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJT
QSAyMDQ4IE0wMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOtxLKnL
H4gokjIwr4pXD3i3NyWVVYesZ1yX0yLI2qIUZ2t88Gfa4gMqs1YSXca1R/lnCKeT
epWSGA+0+fkQNpp/L4C2T7oTTsddUx7g3ZYzByDTlrwS5HRQQqEFE3O1T5tEJP4t
f+28IoXsNiEzl3UGzicYgtzj2cWCB41eJgEmJmcf2T8TzzK6a614ZPyq/w4CPAff
nAV4coz96nW3AyiE2uhuB4zQUIXvgVSycW7sbWLvj5TDXunEpNCRwC4kkZjK7rol
jtT2cbb7W2s4Bkg3R42G3PLqBvt2N32e/0JOTViCk8/iccJ4sXqrS1uUN4iB5Nmv
JK74csVl+0u0UecCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV
HQ4EFgQUgbgOY4qJEhjl+js7UJWf5uWQE4UwHwYDVR0jBBgwFoAUhBjMhTTsvAyU
lC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8v
b2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDov
L2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8E
ODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jv
b3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IB
AQCtAN4CBSMuBjJitGuxlBbkEUDeK/pZwTXv4KqPK0G50fOHOQAd8j21p0cMBgbG
kfMHVwLU7b0XwZCav0h1ogdPMN1KakK1DT0VwA/+hFvGPJnMV1Kx2G4S1ZaSk0uU
5QfoiYIIano01J5k4T2HapKQmmOhS/iPtuo00wW+IMLeBuKMn3OLn005hcrOGTad
hcmeyfhQP7Z+iKHvyoQGi1C0ClymHETx/chhQGDyYSWqB/THwnN15AwLQo0E5V9E
SJlbe4mBlqeInUsNYugExNf+tOiybcrswBy8OFsd34XOW3rjSUtsuafd9AWySa3h
xRRrwszrzX/WWGm6wyB+f7C4
-----END CERTIFICATE-----
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
ADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj
b3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4x
OzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAW
gBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUH
MAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUH
MAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2Vy
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0
LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsF
AAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSW
MiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/ma
eyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBK
bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
-----END CERTIFICATE-----
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw
MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp
ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/
y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N
Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo
Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C
zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J
Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB
AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O
BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV
rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u
c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud
HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG
BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G
VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1
l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt
8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.docker.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5635 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
pi@DockerPi:~ $

I have installed docker on a raspberry pi with fixed IP address. Using OpenDNS server.
I used nmcli commands to fix the IP addres and set gateway en DNS server.
sudo apt update and sudo APT upgrade are working fine so internet connection os ok.
Any ideas?

How is:

The same kind of error as

???

While the first is a problem while validating the certificate chain, the second is a timeout problem.

Furthermore, the tests you did with curl do not indicate any sort of issues while validating the certificate chain.

Yes, in my case there was an error with the Zscaler policy applied by my company.

1 Like

Try to add root-ca.cer to your container. root-ca.cer take from your IT security team

How does one “add it to the container”?

I followed the below steps

Convert your root-ca.cer to .pem file using openssl

Copy and append the key of the .pem file to /etc/ssl/cert/ca-certificates.crt

Restart the container.

It worked for me!

Here is the detailed instruction.
If you look at the error message carefully, you can tell it is related to the root cert.
x509:certificate signed by unknown authority.

  1. When you try to pull something from docker site , (i.e. docker pull hello-world), it reaches out to docker.io
  2. Your computer (most likely Linux) first downloads the cert from the website. If you examine the cert, you can tell it is signed by Zscaler.
  3. And there is a good chance your computer (mine is Ubuntu 20.04) is missing the root cert of Zscaler. And you computer is saying “hey, docker.io! You are claiming your cert has been signed by Zscaler. But I don’t know who Zscaler is”

This is how you fix it.

  1. Run this command to list the root certs currently installed on your machine.
    sudo update-ca-certificates --fresh (Chances are you won’t see the one for Zscaler).
  2. Download Zscaler’s root cert in der format and convert it to pem (but make sure the extension is .crt. Otherwise it won’t work)
  3. Copy the crt file (in my case, I named it Zscaler.crt) to /usr/local/share/ca-certificates
  4. Run this commad again
    sudo update-ca-certificates --fresh
  5. It will read the crt file and add it to the available root cert store on your linux machine.

Try docker pull hello-world again.

  1. It will go to docker site and download its cert.
  2. Since docker site cert was signed by Zscaler, your computer will check the matching root cert of zscaler.
  3. Since your computer now has the file, it will validate the cert (that was signed by Zscaler) is legit and proceed without any errors.
1 Like

Thank you so much, this really worked for me.