amazonlinux
[Bug] - docker-25.0.8-1.amzn2023.0.4 pull with error: "x509: invalid certificate policies"
Describe the bug https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.7.20250527.html Since AL2023 version 2023.7.20250527, docker cli version is upgraded to docker-25.0.8-1.amzn2023.0.4 and I met "x509: invalid certificate policies" error while trying to do docker pull from my privately owned container repository. If I downgrade to docker-25.0.8-1.amzn2023.0.3, it is running fine.
I tried to add my repo to the insecure registries in /etc/docker/daemon.json but the error still persists.
To Reproduce Steps to reproduce the behavior:
- Go to session manager console
- Run
docker pull <repo>:<version> - See error:
Error response from daemon: Get "https://<repo_url>": tls: failed to parse certificate from server: x509: invalid certificate policies
Expected behavior Docker pull should work.
I was running into this earlier today. It seems to be resolved now as I can use FROM public.ecr.aws/amazonlinux/amazonlinux:2023 without error now.
Problem still persist for me with the lastest AL2023 version (2023.7.20250609).
Docker version: docker-25.0.8-1.amzn2023.0.4
Are you still seeing issues?
docker-25.0.8-1.amzn2023.0.4 was built with go 1.24.2, upgraded from 1.23.8. The release notes indicate that there were some changes to x509 certificate parsing in go 1.24.0 - https://go.dev/doc/go1.24#cryptox509pkgcryptox509
In particular, the change seems to have additional parsing validation on x509 certificate policy extensions to require unique OIDs. You may need to check how your certificate was generated.
Golang library was updated to 1.24.2 from 1.23.8 for the builds. With this change golang now has stricter validation for x509. Golang release notes for 1.24.2:
https://tip.golang.org/doc/go1.24#cryptox509pkgcryptox509
Here are the list of changes that may be related:
- The x509sha1 GODEBUG setting has been removed. Certificate.Verify no longer supports SHA-1 based signatures.
- OID now implements the encoding.BinaryAppender and encoding.TextAppender interfaces.
- The default certificate policies field has changed from Certificate.PolicyIdentifiers to Certificate.Policies. When parsing certificates, both fields will be populated, but when creating certificates policies will now be taken from the Certificate.Policies field instead of the Certificate.PolicyIdentifiers field. This change can be reverted with GODEBUG setting x509usepolicies=0.
- CreateCertificate will now generate a serial number using a RFC 5280 compliant method when passed a template with a nil Certificate.SerialNumber field, instead of failing.
- Certificate.Verify now supports policy validation, as defined in RFC 5280 and RFC 9618. The new VerifyOptions.CertificatePolicies field can be set to an acceptable set of policy OIDs. Only certificate chains with valid policy graphs will be returned from Certificate.Verify.
- MarshalPKCS8PrivateKey now returns an error instead of marshaling an invalid RSA key. (MarshalPKCS1PrivateKey doesn’t have an error return, and its behavior when provided invalid keys continues to be undefined.)
- ParsePKCS1PrivateKey and ParsePKCS8PrivateKey now use and validate the encoded CRT values, so might reject invalid RSA keys that were previously accepted. Use GODEBUG setting x509rsacrt=0 to revert to recomputing the CRT values.
