5

I am getting an error when I am trying to pull docker image. We have set up the proxy, and in our organization we have explicit proxy, so to access external server we cannot do without setting it. 

[root@DX2821 city]# docker pull hellow-world

Using default tag: latest

Error response from daemon:

Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority

Kazunori Takaishi
  • 2,268
  • 1
  • 15
  • 27
Sadique Manzar
  • 61
  • 1
  • 2
  • 5

2 Answers2

3

I had exactly the same problem in my company.

We have also a proxy. For monitoring our https connection to avoid malwares, our proxy creates a certificate on the fly for the secured connection between a station and the proxy. Then another secured connection is done between the proxy and the website. The message indicates that the certificate produced by the proxy was signed by an unknown authority: the "fake authority" which generates the certificates.

For solving the problem, I had to install the root certificate of this "fake authority" in /usr/share/ca-certificates (for a linux station) and then:

> update-ca-certificates
Unihedron
  • 10,902
  • 13
  • 62
  • 72
le flingue
  • 31
  • 1
  • 4
1

To extends le flingue's answer, here is how you can do this step by step in Ubuntu:

You can run following:

openssl s_client -connect registry-1.docker.io:443 -showcerts

It shows all the certificates. Copy all parts that start and end with these (including the BEGIN and END CERTIFICATE rows):

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Create as many files as you have these begin and end parts inside /usr/local/share/ca-certificates/ and paste the begin certificate and end certificate parts inside them. As an example I had three of these parts so I created following files:

sudo nano /usr/local/share/ca-certificates/proxy1.crt
sudo nano /usr/local/share/ca-certificates/proxy2.crt
sudo nano /usr/local/share/ca-certificates/proxy3.crt

It does not matter how you name the certificates. The only thing that matters is the content. After you have copied all these parts inside the files, you can run following command:

sudo update-ca-certificates

It should give you following information:

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
3 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Note that this does not yet update the certs into Docker. You have to start and stop the Docker daemon. Run

sudo service docker stop
sudo service docker start

And finally Docker should be able to find the certificates. So now you can run

docker pull hello-world
Jukka Hämäläinen
  • 647
  • 1
  • 6
  • 17