docker-registry icon indicating copy to clipboard operation
docker-registry copied to clipboard

Published 20 hours ago verified publisher icon docker-archive

docker can not pull image from docker.io due to unknown CA cert

Open goupeng212 opened this issue 9 years ago • 0 comments

docker version: Client: Version: 1.9.0 API version: 1.21 Go version: go1.4.2 Git commit: 76d6bc9 Built: Tue Nov 3 17:43:42 UTC 2015 OS/Arch: linux/amd64

docker info: Containers: 0 Images: 0 Server Version: 1.9.0 Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirs: 0 Dirperm1 Supported: true Execution Driver: native-0.2 Logging Driver: json-file Kernel Version: 3.19.0-30-generic Operating System: Ubuntu 14.04.3 LTS CPUs: 2 --- I deleted the http proxy setting uname -a :

Linux 5de0a79d-d9ba-4a1c-80df-2c1372924b80 3.19.0-30-generic #34~14.04.1-Ubuntu SMP Fri Oct 2 22:09:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I tried to pull docker image : ubuntu from docker.io.But failed:

Pulling repository docker.io/library/ubuntu Get https://registry-1.docker.io/v1/repositories/library/ubuntu/tags/trusty: x509: certificate signed by unknown authority

The sever behind one firewall and we have to use http_proxy to connect to docker.io.

  1. I have set the export http_proxy, export https_proxy in the /etc/default/docker.
  2. Restarted the service.
  3. docker pull registry:2 Pulling repository docker.io/library/registry Get https://registry-1.docker.io/v1/repositories/library/registry/tags/2: x509: certificate signed by unknown authority
  4. I can install the docker via proxy. wget -qO- --no-check-certificate https://get.docker.io |sh;
  5. wget -S -d -O - https://cdn-registry-1.docker.io/cdn-cgi/trace Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.15 on linux-gnu.

URI encoding = ‘UTF-8’ --2015-11-20 16:35:32-- https://cdn-registry-1.docker.io/cdn-cgi/trace Resolving cdn-^(?!ibm.env).*.fabric.Capacity.memory_load (cdn-registry-1.docker.io)... 54.173.117.35, 52.5.137.119, 54.86.172.118, ... Caching cdn-registry-1.docker.io => 54.173.117.35 52.5.137.119 54.86.172.118 52.3.170.192 54.209.97.165 52.0.114.14

Connecting to cdn-registry-1.docker.io (cdn-registry-1.docker.io)|54.173.117.35|:443...

No response

My question:

  1. the enterprise proxy must set the CA cert strict constraint! But I expect the docker expose one parameter just like curl --insecure.
  2. How to import the CA cert from registry-1.docker.io I tried to get the crt from one machine which can access registry-1.docker.io cp ca.crt /usr/local/share/ca-certificates update-ca-certificates service docker restart But failed work
  3. Seems the proxy doesn't work for the registry-1.docker.io, but for get.docker.io

goupeng212 avatar Nov 20 '15 08:11 goupeng212