I was trying to install Harbor: Private Docker Registry with Paid SSL from Sectigo(Comodo).
But when I install, I can see it was successful in web page, but not in docker login.
When I tried to docker login ~~~, then it says Error response from daemon: Get https://docker.siadev.kr/v2/: x509: certificate signed by unknown authority
What I received from SSL provider are these.
{domain}.crt, {domain}.key, AAACertificateServices.crt, AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt, SectigoRSAAddTrustCA.crt, SectigoRSADomainValidationSecureServerCA.crt, rsa-dv.chain-bundle.pem
And docker says it supports ca.crt, {domain}.cert, {domain}.key.
What crt files do I have to concat?
I placed those like,
/etc/docker/certs.d/{domain}/{domain}.cert
/etc/docker/certs.d/{domain}/{domain}.key
/etc/docker/certs.d/{domain}/ca.crt
.
If I try to login with ip or another domain, then it says Error response from daemon: Get https://{domain}/v2/: x509: certificate is valid for {domain}, not {fake_domain}.
So I assume that they are in the right place, and the problem is from wrong combine of ca.crt.
I'm not sure it's going to solve your problem but I think you should put your certificate in
/etc/docker/certs.d/$MY_REGISTR_DOMAIN:REGISTR_PORT/
folder. That's where I placed mine (they are self signed) and it works.
Related
I have a harbor stack running on docker with nginx revers proxy. Its SSL certificate is expired and I am not able to login via SSH. I created a new certificate with OpenSSL. I can see that new certificate is being used in browser as date and other information are updated. However still I see SSL error in browser and see following error via SSH.
Error response from daemon: Get "https://123.123.123.111:444/v2/": x509: cannot validate certificate for 123.123.123.111 because it doesn't contain any IP SANs
What I have done?
I created the SSL As follow. Firstly I updated the /etc/ssl/openssl.cnf and added subjectAltName=IP:123.123.123.111 as mentioned in this stack overflow question.
Then I follow this official guide to make SSL certificate.
Once all work well I copy the certificated and added them to the correct directory.
I also copy the certificated on this directory
sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
Finally I update the certificates like this.
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
Result of all this work?
Certificates has been updated but still I can see the SSL error in browser and SSH.
What I want?
I want to make my SSL certificates work so I can login through SSH and upload repos.
After creating a private docker registry on one of my machines, I try to push an image to it but it throws the error: Get "https://host.domain/v2/": x509: certificate signed by unknown authority
The registry was created according to the official docker documentation. If I request the same url within safari or chrome, the request gets resolved successfully, showing that the certificate is valid.
So I'm wondering: what does docker do differently that it can't validate my certificate?
Many thanks in advice!
Solved the issue: it seems that if your certificate issuer provides an intermediate certificate EXPLICITLY, it's required to chain the domain.crt and intermediate.crt by running cat domain.cry intermediate.crt > concat-domain.crt (for example).
Instruction coming from official docker documentation.
A container running behind a K8s service fails to make network requests with the error x509: certificate signed by unknown authority.
The container is an API that serves incoming requests and makes external network requests before responding, it's running in a local K8s cluster managed by Docker desktop. The third party API being called is failing the certificate validation and Im not using a proxy or VPN.
What could be the cause of this?
I hope this helps someone else as there are many different discussions about this topic online.
The fix seems to be that when doing a multi stage docker build and using e.g. FROM golang:alpine3.14 AS build along with FROM scratch, the root certificates are not copied into the image.
adding this to the Dockerfile after the FROM scratch line removes the error.
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
This was found on this stackoverflow answer
I am getting an error when I am trying to pull docker image.
We have set up the proxy, and in our organization we have explicit proxy, so to access external server we cannot do without setting it.
[root#DX2821 city]# docker pull hellow-world
Using default tag: latest
Error response from daemon:
Get https://registry-1.docker.io/v2/: x509: certificate signed by
unknown authority
I had exactly the same problem in my company.
We have also a proxy. For monitoring our https connection to avoid malwares, our proxy creates a certificate on the fly for the secured connection between a station and the proxy. Then another secured connection is done between the proxy and the website. The message indicates that the certificate produced by the proxy was signed by an unknown authority: the "fake authority" which generates the certificates.
For solving the problem, I had to install the root certificate of this "fake authority" in /usr/share/ca-certificates (for a linux station)
and then:
> update-ca-certificates
I'm new in docker and I testing some stuffs. I had installed a UCP to upload my images but when I wanted login to UCP with CLI showed this error:
Error response from daemon: Get https://x.x.x.x/v1/users/: x509:
certificate signed by unknown authority
I searched this error and I found many responses (many differents responses) after that, I finished to install the DTR and I could login without a problem.
My questions is:
After I had installed just the UCP I tried connect to this, the error showed. So, Is necessary have installed DTR to correctly connect?, or, Could it be another problem?
Thanks for your help!
" I had installed a UCP to upload my images". What does this mean? The DTR should be part of your UCP Swarm and that is where you push your images to.
So if you are getting this error when trying to push your image to one of the repository in DTR, then try the below steps(assuming your worker nodes are window 2016 servers).
Create certificate in DTR node
Copy the certificate to the docker node or which ever machine from which you are trying to push the image
Open MMC
Add certificates (use Computer account)
Open Trusted Root Certification Authorities
Click More action on the right and click import
Upload the copied certificate and finish
Try "docker login" command with your DTR url and make sure you able to login without an issue