Docker pull error : x509: certificate has expired or is not yet valid

Question

Description of problem:

I'm trying to pull ubuntu from the public registry with this command :

docker pull ubuntu

And then i got this results (the previous command was working yesterday) :

"Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate has expired or is not yet valid"

docker version :

Client:
Version: 1.10.0
API version: 1.22
Go version: go1.5.3
Git commit: 590d510
Built: Thu Feb 4 18:36:33 2016
OS/Arch: linux/amd64

Server:
Version: 1.10.0
API version: 1.22
Go version: go1.5.3
Git commit: 590d510
Built: Thu Feb 4 18:36:33 2016
OS/Arch: linux/amd64

docker info :

Containers: 4
Running: 0
Paused: 0
Stopped: 4
Images: 20
Server Version: 1.10.0
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 44
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Plugins: 
Volume: local
Network: bridge null host
Kernel Version: 3.19.0-49-generic
Operating System: Ubuntu 14.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 5.815 GiB
Name: ubuntu
ID: Y6OO:23T2:BAPU:DVQJ:HJCJ:USEP:T6EU:PMG4:O4M6:46C7:JKPC:BQHT
WARNING: No swap limit support

uname -a :

Linux ubuntu 3.19.0-49-generic #55~14.04.1-Ubuntu SMP Fri Jan 22 11:24:31 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

I verify my "date" and everything is good. I don't know where this issue can come from.

Answer 1

this one did it for me docker-machine regenerate-certs --client-certs

Answer 2

This can also apparently happen with time drift, which is a problem with Docker Desktop for Windows. The clock on the Linux VM that s running the Docker daemon does not, by default, sync time with your main Windows host. If, like me, you work on a laptop, and your laptop is asleep for long periods of time without you rebooting or otherwise restarting Docker, it would seem your Linux VM's clock can drift enough that you can get this error. Restarting Docker clears it up, however.

I recognize the OP is probably no longer in need of an answer and it was not necessarily the OPs issue (no indication if they were using Windows), but since I got here through my own research into this problem, I figured I'd add the answer.

Answer 3

I got this error, it was related to system date/time settings. (I realize the OP stated his date was OK, just adding this comment for other people who might arrive at this page where this is the issue - like I did!!)

Had an issue when I booted up my machine and the time/date settings were incorrect. Later, after my machine had the correct date/time settings, I tried to pull an image from docker and got the above error.

I restarted the docker daemon running locally, so it picked up the new date/time and can now pull successfully again.

Answer 4

if this happened with Docker on Windows

Just Restart Docker Desktop

Answer 5

You can either use --insecure-registry option while starting docker deamon or need to provide valid certificate path. Look here for details.

Answer 6

In my case I have decided to change the date and time of the server to the current date.

Answer 7

This happened also to me:

• while trying to login to an Artifactory.
• when my local docker daemon has been running for a couple weeks.

I simply restarted my local docker daemon, and could login to the Artifactory with no error message.

Answer 8

I had the similar issue on centos vagrant vm machine. When I were pulling any docker image, the bellow error were poping up

   error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/4b/4bb46517cac397bdb0bab6eba09b0e1f8e90ddd17cf99662997c3253531136f8/data?verify=1597376104-j8KSa2vKDeIZNFuPq0EP9cb3sqc%3D: x509: certificate has expired or is not yet valid

The problem was the centos vagrant vm machine date and timezone were different from my host machine. After updating my vm machine to the same date and timezone with my host, the issue were fixed.

   #check the timezone
   $timedatectl
   #update timezone
   $timedatectl set-timezone America/Toronto
   #update date
   date --set="Fri August 14 3:08:10 EDT 2020"

Answer 9

For anyone using Podman, a system reboot helped. Maybe restarting the podman machine could help as well.

Answer 10

In a dev environment you could avoid this error modify the file daemon.json alocate at /etc/docker/daemon.json add a insecure registry at the list and restart the docker engine

{
  "insecure-registries" : [ "myinsecureregistry.com:443", "myinsecureregistry.com", "x.x.x.x:5000" ]
}

Ref: daemon configuration

Answer 11

Had the same issue with my private docker registry on a QNAP server.

Apparently there is a bug with Container Station 3 as it does not renew the server certificates when you click on 'Renew' from Container station.

SSH into your NAS, clear all .pem files from /etc/docker/tls, then restart Container Station with

/share/CACHEDEV1_DATA/.qpkg/container-station/container-station.sh restart

Copy the newly generated ca.pem, cert.pem and key.pem files from etc/docker/tls to your ~/.docker folder and it should be working again.

Answer 12

Check if your docker registry is running or not. if no registry is runnign try docker run -d -p 5000:5000 --name registry registry:2

Answer 13

If the other recommendations don't get you anywhere, make sure that you aren't using a reverse proxy (like Apache) AND Jetty.

If you are using both, its quite likely there is a *.jks that has not been updated with the most up to date certificate.

Answer 14

Whenever you face below problem please set your date and time correct:

"Error while pulling image: Get https://index.docker.io/v1/repositories/library/ubuntu/images: x509: certificate has expired or is not yet valid"

use below command for linux system to set the date and time

sudo date --set='Mon Jan 13 14:50:44 IST 2020' "Note"=> if you are from different time zone please set as CST,EST,EDT etc.

Answer 15

On Windows, with WSL2 backend? You can open a new WSL2 command prompt and use:

sudo hwclock -s

Answer 16

I had a similar issue in Centos7.

Error:

-bash-4.2$ docker pull docker.elastic.co/elasticsearch/elasticsearch:7.10.1
Error response from daemon: Get https://docker.elastic.co/v2/: x509: certificate has expired or is not yet valid

Solution:

As suggested by others, checked the date of the system, it was ok. Docker pulled all the other repos - all were working as well.

The below steps resolved the issue:

1. Reset the list of trusted CA certificates by following the steps listed here.
2. Restart the docker using sudo systemctl docker restart.

Docker pull should be working as expected.

-bash-4.2$ docker pull docker.elastic.co/elasticsearch/elasticsearch:7.10.2
7.10.2: Pulling from elasticsearch/elasticsearch

Answer 17

in my case i had to add

registry_nginx['ssl_certificate'] = "/path/to/certificate.pem"
registry_nginx['ssl_certificate_key'] = "/path/to/certificate.key"

to my /etc/gitlab/gitlab.rb , because I was using certbot for ssl certification of my gitlab.example.com domain. I used the same fullchain.pem and privkey.pem for my registry and the error gone.

Answer 18

If this happened with Docker on Windows: Try to restart Windows, it will help to fix timezone issues.

Answer 19

Try update your operating system. Sometimes some cert chains are also updated with. It have solved in my case.

Answer 20

You need to check with network configuration.If you assign single network interface you will get this issue.In network setting check NIC's are enable both public and private.