Docker registry login fails with “Certificate signed by unknown authority”

Question

I\'m am running a private docker registry on ubuntu using S3 for storage. I\'m having issues getting docker login/push/pull commands to work over SSL. I\'m using Nginx in fron

Answer 1

For RHEL hosts, you can add the CA cert to the PKI CA list on the client host:

cp docker-registry.crt /etc/pki/ca-trust/source/anchors/docker-registry.crt
update-ca-trust
systemctl restart docker

From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/

Answer 2

If you are on mac, simply add the registry to the insecure-registries setting in ~/.docker/daemon.json:

{
  "debug" : true,
  "experimental" : true,
  "registry-mirrors" : [],
  "insecure-registries" : ["registry.your.domain.de"]
}

In case you do a mistake somewhere (I forgot a comma in the JSON) some issues afterwards with starting up the docker daemon might arise. Namely any docker command throwing an Error response from daemon: Bad response from Docker engine. A few restarts and resets later that resolved itself.

Answer 3

If you are using letsencrypt and nginx, just change the ssl_certificate key from cert.pem to fullchain.pem.

Answer 4

For cheap / lesser known certs like the COMODO or StartSSL ones, you need to add the entire certificate chain into the certificate file you are using with nginx. Many operating systems don't trust the intermediate CAs, just the root CA, so you need to fill in the missing steps between the certificate for your host and the root CA that is trusted by the OS.

In the e-mail you received your certificate with, you should also find links to the intermediate CAs and the root CA. Open the docker-registry.crt file, scroll to the bottom, and append the intermediate CAs and, finally, the root CA certificate for the PositiveSSL chain. Once you've done that, restart nginx. You should now be good to go.