“docker pull” certificate signed by unknown authority

Question

I was trying to pull a docker image from a docker registry but hit the following issue:

$ docker pull //          


        

Answer 1

For the MacOS Docker Desktop user:

Go to your repository's URL in a browser. You may have to accept all security prompts.

Click (on Chrome) on the padlock on the address bar, then click on "Certificate".

Click and hold down on the paper icon of the certificate and drag to a folder of your preference, or the desktop.

Open your terminal (make sure to replace the last argument with the location of your file):

security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db ~/<<<somefolder>>>/<<<yourserver.cer>>>

Restart your docker engine.

Answer 2

Here is a quick solution:

• Edit or create the file /etc/docker/daemon.json and add insecure-registries :

example for docker.squadwars.org:

{
    "insecure-registries" : ["docker.squadwars.org:443"]
}

• Restart docker daemon

systemctl restart docker

• Create a directory with the same name of the host .

example for docker.squadwars.org:

mkdir -p /etc/docker/certs.d/docker.squadwars.org

• Get the certificate and save it to the created directory.

ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | openssl s_client -showcerts -connect docker.squadwars.org:443) -scq > /etc/docker/certs.d/docker.squadwars.org/docker_registry.crt

Answer 3

For anyone who is using CentOS 7, this is what worked for me:

• Obtain necessary certificate (e.g. from your company)
• Copy the certificate to ca-trust location:

sudo cp -p abc.crt /etc/pki/ca-trust/source

• Update the certificate:

sudo update-ca-trust extract

• Reload daemon and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

Answer 4

For me I ended up doing this to get it to work:

sudo cp -p abc.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust
sudo update-ca-trust extract
sudo systemctl daemon-reload
sudo systemctl restart docker

Answer 5

• first create a file - /etc/docker/daemon.json

• than run the following to add certs

    openssl s_client -showcerts -connect <registry_address>:<registry_port> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/<registry_address>/ca.crt
  

works without restart

OR

import the cert to system like

• save the cert to the file , like the command above (the port is crucial, no need for the protocol)

   openssl s_client -showcerts -connect <registry_address>:<registry_port> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
  

• copy it to /usr/local/share/ca-certificates/

   sudo cp ca.crt /usr/local/share/ca-certificates/
  

• run update-ca-certificates

   sudo update-ca-certificates
  

• restart docker !

Answer 6

By default docker keeps a local Certificate store, in Centos:/etc/sysconfig/docker. In Organizations, the servers usually comes preinstalled with it's own Root Cert. So if you use cert issued by the organization, docker will not be able to find the organization's Root Cert. when it refers to its local store. So either you can remove the reference to its local store in /etc/sysconfig/docker or you can delete it's local Certificate store (Centos:/etc/docker/certs.d). Restarting docker service after you make the change will resolve this issue.