I can no longer pull from docker. This is on up to date and rebooted ArchLinux system. I don’t get this problem on my other systems.

docker pull hello-world
Using default tag: latest
Error response from daemon: Get "https://registry-1.docker.io/v2/":
 tls: failed to verify certificate: x509: certificate is valid for
 76a02b8f34b0a7a5a5dcd164de1ae295.gr7.us-east-1.eks.amazonaws.com,
 ip-172-16-124-126.ec2.internal, kubernetes, kubernetes.default,
 kubernetes.default.svc, 
kubernetes.default.svc.cluster.local, not registry-1.docker.io

The following seems to indicate I don’t have the right certificates:

openssl s_client -showcerts -connect registry-1.docker.io:443 </dev/null
Connecting to 34.205.13.154
CONNECTED(00000003)
depth=0 CN=kube-apiserver
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=kube-apiserver
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=kube-apiserver
verify return:1
---
Certificate chain
 0 s:CN=kube-apiserver
   i:CN=kubernetes
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 24 20:06:03 2024 GMT; NotAfter: Jan 29 05:53:08 2026 GMT
etc

I don’t understand what’s missing or wrong exactly or indeed, how to fix it.

I’d appreciate some guidance.

This definitely does not look like the right certificate.

It looks like your system tries to access the registry through a service that runs on an EKS cluster, and instead of creating the https security context between your host and the registry, the security context is created between your host and an EKS cluster.

If it was a general problem, we would see it mentioned in https://www.dockerstatus.com.

Thank you, that was surprisingly helpful. It focused my thoughts onto DNS rather than docker. For some reason I had 34.205.13.154 registry-1.docker.io in my /etc/hosts file. I have no idea why!

Thank you very much for responding.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.