Here is the detailed instruction.
If you look at the error message carefully, you can tell it is related to the root cert.
x509:certificate signed by unknown authority.

1. When you try to pull something from docker site , (i.e. docker pull hello-world), it reaches out to docker.io
2. Your computer (most likely Linux) first downloads the cert from the website. If you examine the cert, you can tell it is signed by Zscaler.
3. And there is a good chance your computer (mine is Ubuntu 20.04) is missing the root cert of Zscaler. And you computer is saying “hey, docker.io! You are claiming your cert has been signed by Zscaler. But I don’t know who Zscaler is”

This is how you fix it.

1. Run this command to list the root certs currently installed on your machine.
   sudo update-ca-certificates --fresh (Chances are you won’t see the one for Zscaler).
2. Download Zscaler’s root cert in der format and convert it to pem (but make sure the extension is .crt. Otherwise it won’t work)
3. Copy the crt file (in my case, I named it Zscaler.crt) to /usr/local/share/ca-certificates
4. Run this commad again
   sudo update-ca-certificates --fresh
5. It will read the crt file and add it to the available root cert store on your linux machine.

Try docker pull hello-world again.

1. It will go to docker site and download its cert.
2. Since docker site cert was signed by Zscaler, your computer will check the matching root cert of zscaler.
3. Since your computer now has the file, it will validate the cert (that was signed by Zscaler) is legit and proceed without any errors.