docker-compose pull results in x509: certificate signed by unknown authority

Question

I\'m hitting the following error when trying to pull the elastcisearch images from dockerhub.

docker-compose pull
Pulling elasticsearch (elasticsearch:2.2.0)...
         


        

Answer 1

I resolved the problem by adding the CA root .crt file the following directory: /etc/docker/certs.d/docker.io

Steps to resolve on Unbuntu 14:04 with Docker version 1.10.0, build 590d5108 and docker-compose version 1.6.0, build d99cad6:

• In Internet Explorer browse to docker.io/library/elasticsearch and export the companies Intermediate Root CA cert using DER format
• On Ubuntu mkdir -p /etc/docker/certs.d/docker.io/
• cp <cert from step one>.crt /etc/docker/certs.d/docker.io/
• service docker restart
• docker-compose pull now works and elasticsearch image downloads

More info here: https://docs.docker.com/engine/security/certificates/

Answer 2

1. Export the SSL certificate using Firefox.
   • Hit the URL in Firefox
   • Click on advanced, if you see warning or the lock on the URL bar.
   • Export the certificate(In Details tab)
   • Let's assume the cert file name is your.ssl.server.name.crt
2. Copy CA cert to /usr/local/share/ca-certificates.
3. sudo update-ca-certificates
4. sudo service docker restart

Answer 3

this might happen on local or user registries that might not have root CA signed certificates (these might be self singed). You can use the following steps use these registries:

1. sudo systemctl edit docker.service

2. add the registry like this:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd <some params...> --insecure-registry <your registry here> <other params...>

3. Save the file.
4. Reload the configuration with sudo systemctl daemon-reload
5. Restart Docker with sudo systemctl restart docker.service

Answer 4

On native docker (I'm on a mac), this can be resolved by adding to the insecure registries configuration. Preferences > Advanced > Insecure Registries