docker-compose pull results in x509: certificate signed by unknown authority

17
votes

I'm hitting the following error when trying to pull the elastcisearch images from dockerhub.

docker-compose pull
Pulling elasticsearch (elasticsearch:2.2.0)...
Pulling repository docker.io/library/elasticsearch
ERROR: Error while pulling image: Get https://index.docker.io/v1/repositories/library/elasticsearch/images: x509: certificate signed by unknown authority
Failed to run with docker-compose

My company has an Intermediate Root CA that I suspect is causing the problem. Any ideas how I should configure Docker to use the company Root CA?

4
dockerdocker-compose
Possible duplicate of docker error: x509: certificate signed by unknown authorityrkosegi
same error but doesn't look like the same issueDarVar

4 Answers

11
votes

I resolved the problem by adding the CA root .crt file the following directory: /etc/docker/certs.d/docker.io

Steps to resolve on Unbuntu 14:04 with Docker version 1.10.0, build 590d5108 and docker-compose version 1.6.0, build d99cad6:

  • In Internet Explorer browse to docker.io/library/elasticsearch and export the companies Intermediate Root CA cert using DER format
  • On Ubuntu mkdir -p /etc/docker/certs.d/docker.io/
  • cp <cert from step one>.crt /etc/docker/certs.d/docker.io/
  • service docker restart
  • docker-compose pull now works and elasticsearch image downloads

More info here: https://docs.docker.com/engine/security/certificates/

7
votes
  1. Export the SSL certificate using Firefox.
    • Hit the URL in Firefox
    • Click on advanced, if you see warning or the lock on the URL bar.
    • Export the certificate(In Details tab)
    • Let's assume the cert file name is your.ssl.server.name.crt
  2. Copy CA cert to /usr/local/share/ca-certificates.
  3. sudo update-ca-certificates
  4. sudo service docker restart
1
votes

On native docker (I'm on a mac), this can be resolved by adding to the insecure registries configuration. Preferences > Advanced > Insecure Registries

0
votes

this might happen on local or user registries that might not have root CA signed certificates (these might be self singed). You can use the following steps use these registries:

  1. sudo systemctl edit docker.service

  2. add the registry like this:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd <some params...> --insecure-registry <your registry here> <other params...>
  1. Save the file.
  2. Reload the configuration with sudo systemctl daemon-reload
  3. Restart Docker with sudo systemctl restart docker.service