X509: certificate signed by unknown authority on docker login

docker

#1

Hello,

When I try to push a docker image to a private registry just built in the build process, I got the following error:

Error response from daemon: Get https://privrepo.com/v1/users/: x509: certificate signed by unknown authority

The SSL certificate of the private repository domain was issued using Letsencrypt certbot. In my workstation, I had the same issue and I had to install the certificate chain.

Here, I’ve tried three approaches, with no success:

  1. use of --insecure-registry flag (using environment variable);
  2. tried to install the certificate chain in current execution (probably container #0);
  3. tried to do a fresh install of docker and configure certificates in docker’s /etc/docker/certs.d.

I think that those approaches didn’t worked because the execution of the docker command runs in a remote docker engine, and maybe THAT engine don’t have the root certificates of Letsencrypt (ISRG Root X1 and Let’s Encrypt Authority X3).

It could be the problem? If yes, is it possible to install those root certificates on the remote docker-engine?

Thanks

Rafael


#2

You need to install ca-certificates


#3

Hi @rohara,

I’ve tried this, but got same error:

$ docker login hub.devshipgo.com -u anyuser -p anypwd
Error response from daemon: Get https://hub.devshipgo.com/v1/users/: x509: certificate signed by unknown authority
Exited with code 1

I still believe that is the remote docker engine (from - setup_docker_engine) that is trying to access the registry. Notice that I check the certificate using openssl from my container, and it returns ok:

$ openssl s_client -connect hub.devshipgo.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = hub.devshipgo.com
verify return:1
---
Certificate chain
 0 s:/CN=hub.devshipgo.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...
    Start Time: 1489583256
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

This is my .circleci/config.yml

version: 2
    jobs:
      build:
        docker:
          - image: ubuntu:latest
        working_directory: /root/build_dir
        steps:
    
          - run:
              name: Prereqs
              command: |
                apt-get -q1 -y update
                apt-get -q1 -y install git ca-certificates curl openssl
    
    #      - checkout
    
          - run:
              name: Including Letencrypt chain
              command: |
                set -ex
                curl -L -o /usr/local/share/ca-certificates/letsencryptauthorityx3.crt https://letsencrypt.org/certs/letsencryptauthorityx3.pem
                update-ca-certificates
    
          - run:
              name: Checking access with openssl
              command: |
                openssl s_client -connect hub.devshipgo.com:443 -CApath /etc/ssl/certs
    
          - run:
              name: Installing docker by hand
              command: |
                set -ex
                curl -L -o /tmp/docker-1.13.1.tgz https://get.docker.com/builds/Linux/x86_64/docker-1.13.1.tgz
                tar -xz -C /tmp -f /tmp/docker-1.13.1.tgz
                mv /tmp/docker/* /usr/bin
    
          - setup_docker_engine
    
          - run:
              name: Building a beaultiful Docker world
              command: |
                docker login hub.devshipgo.com -u anyuser -p anypwd

#4

Ah I understand - I apologize for my mistake. I will open a ticket internally for you.


#6

Great! Thanks!


#7