0

I have an environment with a root CA and a subordinate CA. my environment is mixed. I have both windows and Linux (Ubuntu 18) servers.

On the windows machines it is enough to add the root CA to the trusted root certificates store, and from there on all certificate issued by the -subordinate- CA are trusted by the computer.

On the Ubuntu machines I installed the Root CA to the trusted root CA's store as well, but I found that when running docker pull from a private registry with a certificate issued by the subordinate CA, I got the error: Error response from daemon: Get https://<server>:5000/v2/: x509: certificate signed by unknown authority only after spending a good few hours I realized I needed to install the subordinate CA as well as the root CA.

Why is that? shouldn't a subordinate signed certificate be trusted if the subordinate root CA is trusted?

GKman
  • 495
  • 3
  • 9
  • 16
  • 1
    It seems more likely that the private server didn't send the subordinate CA certificate in its chain. Then the TLS client will already need to possess that subordinate certificate in order to follow the chain from end leave to root. – Gerrit Feb 06 '20 at 12:10
  • How can I find out? because when viewing the certificate file on windows I can follow the entire certificate chain – GKman Feb 06 '20 at 13:54
  • 1
    You can use the **openssl s_client** to see all kinds of data about TLS and by default it show the server certificate chain it received. The command would be **openssl s_client -servername your-reposerver -connect your-reposerver:5000**. – Gerrit Feb 06 '20 at 15:10

1 Answers1

1

Issue was due to missing subordinate certificate in the server certificate chain. once added everything works well.

thanks to user Gerrit for the help :)

Gerrit
  • 1,552
  • 8
  • 8
GKman
  • 495
  • 3
  • 9
  • 16