x509: certificate signed by unknown authority - both with docker and with github

Question

docker build -t oreng/iojs .

INFO[0000] Get https://index.docker.io/v1/repositories/library/iojs/images: x509: certificate signed by unknown authority. 

my Dockerfile is

FROM iojs:latest
RUN useradd -ms /bin/bash developer
WORKDIR /home/developer
USER developer

Also hub create (using https://github.com/github/hub)

Post https://api.github.com/user/repos: x509: certificate signed by unknown authority 

Answer 1

As mentioned in crypto/x509/root_unix.go, Go (which is what Docker uses) will check CA certificates in

"/etc/ssl/certs/ca-certificates.crt",     // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",       // Fedora/RHEL
"/etc/ssl/ca-bundle.pem",                 // OpenSUSE
"/etc/ssl/cert.pem",                      // OpenBSD
"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
"/etc/pki/tls/cacert.pem",                // OpenELEC
"/etc/certs/ca-certificates.crt",         // Solaris 11.2+

Make sure those files are available and not corrupted.

There can be also sporadic issue with the CDN, as in this comment:

because now it works :+1: . It must be a amazon edge isssue

The last thread also includes the following check:

The user reporting the issue either has non of those files or those files don't include the rapidssl cert.
We could ask them to send us those files and check if the certificate is included.
The user may also try this:

openssl s_client -showcerts -verify 32 -connect index.docker.io:443

If that fails, the certificates are missing.

Regarding GitHub, be aware it is under a massive DDoS attack at the moment, which could have other side-effects beside the certificate issue.

Answer 2

In Ubuntu 16.04 , should work with other versions as well.

Create/copy .crt under /usr/local/share/ca-certificates:

sudo cp installation/certificates/docker-registry.crt \
/usr/local/share/ca-certificates

And then run

sudo update-ca-certificates

This will add the certificate under /etc/ssl/certs/ca-certificates.crt and then restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

Answer 3

Well I was facing a similar issue. And here is it, where I was:

My Scenario: Built an Ubuntu VM on Oracle VB, and started building my K8s cluster. The docker fails to pull the calico images. Throwing out below errors:

Failed to pull image "docker.io/calico/cni:v3.18.2": rpc error [...] INFO[0009] Get https://registry-1.docker.io/v2: x509: certificate signed by unknown authority.

Then I tried to perform a simple 'docker login' to the default registry, which lead me to the same error.

These were the outcomes learnt from, an entire day, reading and learning:

1. you can use a self signed certificate
2. you can get a CA certificate from the official website

TBH, none of the above lessons lead me to eureka!

So, here is what I did:

I downloaded the certificate from the actual registry, and added it to /etc/docker/certs/[registry_domain_name] and the appended the same to the SSL CA certificate on the server. And guess what, I did give me results. So here are the steps in detail below:

Step 1: openssl s_client -showcerts -connect ${DOMAIN}:${PORT}</dev/null2>/dev/null|openssl x509 -outform PEM >ca.crt

What I Ran: openssl s_client -showcerts -connect registry-1.docker.io:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >ca.crt

Step 2: sudo cp ca.crt /etc/docker/certs.d/${DOMAIN}/ca.crt

What I Ran: sudo cp ca.crt /etc/docker/certs.d/registry-1.docker.io/ca.crt

Step 3: cat ca.crt | sudo tee -a /etc/ssl/certs/ca-certificates.crt

Step 4: sudo service docker restart

Credits to the blog: https://rancher.com/docs/rancher/v1.6/en/environments/registries/

Answer 4

I had the same issue, restarted docker and it was gone.

sudo service docker restart