Docker Private Registry: x509: certificate signed by unknown authority

Question

I am attempting to setup a private docker registry, secured by a reverse nginx proxy that validates users by client certificates.

The error I'm getting is:

x509: certificate signed by unknown authority

According to the documentation, you are supposed to be able to add certificates into /etc/docker/certs.d/, and I have done so. Docker appears to see the location of the certificate:

EBU[0015] Calling POST /v1.24/images/create?fromImage=docker.squadwars.org%2Froster&tag=latest DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] hostDir: /etc/docker/certs.d/docker.squadwars.org DEBU[0015] cert: /etc/docker/certs.d/docker.squadwars.org/client.cert DEBU[0015] key: /etc/docker/certs.d/docker.squadwars.org/client.key DEBU[0015] crt: /etc/docker/certs.d/docker.squadwars.org/docker.squadwars.org.crt DEBU[0015] Trying to pull docker.squadwars.org/roster from https://docker.squadwars.org v2 WARN[0015] Error getting v2 registry: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority ERRO[0015] Attempting next endpoint for pull after error: Get https://docker.squadwars.org/v2/: x509: certificate signed by unknown authority

I also tried renaming the cert file from mydomain.org to simply 'ca.crt', which the debug log again shows it seeing, but it didn't have any effect.

I am able to use curl like so:

curl --key client.key --cert client.cert https://docker.squadwars.org/

I can also add the --cacert option to curl, either way works.

The docker documentation says that if you still have problems, you should add the certificate at the OS level. I have done so according to the instructions:

(Which is probably why I don't need -cacert with curl, although I'm confused because I've since removed the certificate but curl still works)

This is driving me nuts, any help would be greatly appreciated!

Edit: I forgot to add that initially I had the FQDN of the certificate wrong, but it is now 'docker.squadwars.org'

Answer 1

I could solve this error in two different ways

a) Add the OS DTR Certificate to your TLS Store (recommended).
b) Allowing insecure registry in docker, when using it with Ubuntu, just add a file named /etc/docker/daemon.json with content:

{
  "insecure-registries" : ["https://docker.squadwars.org"]
}

Note there is no trailing "/" after ".org", this can cause docker to fail.

Then restart the daemon via systemd:

sudo systemctl restart docker

Answer 2

I got it working by creating my own certificate authority first as outlined here:

How to create a self-signed certificate with openssl?

And here:

How do you sign Certificate Signing Request with your Certification Authority?

I'd like to be able to give a better answer but I was following the instructions here:

https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

And it wasn't working for me. Except for the part about signing the client key. That worked.

Answer 3

in my case any of the suggested ways here didnt work.
eventually i found out that i had a security client installed that acted like a "Man in the middle" and re-signed all traffic with its own certificates.
in order to solve it i had to download its certificate and install it inside the container:

Docker go image - cannot go get - x509: certificate signed by unknown authority