build-push-action icon indicating copy to clipboard operation
build-push-action copied to clipboard
verified publisher icon docker

x509: certificate signed by unknown authority - failed to fetch token

Open anthosz opened this issue 8 months ago • 1 comments

Contributing guidelines

I've found a bug, and:

  • [x] The documentation does not mention anything about my problem
  • [x] There are no open or closed issues that are related to my problem

Description

Hello,

While trying to push a docker image, the job cannot extract token to push the image due to ca issue.

The point is that during the setup of buildx, insecure was set to true so I don't really understand where is the issue.

Expected behaviour

I'm able to extract the token to be able to push the image to the registry

Actual behaviour

When I want to push the image, I receive this error:

ERROR: failed to solve: failed to push example.test:a639a35f04bf71babaee953d85e0380818b7822a: failed to authorize: failed to fetch anonymous token: Get "https://example.test/v2/token?scope=%2A%3A%3A&scope=repository%XXXXXX%2FXXXXXX%3Apull%2Cpush&service=container_registry": tls: failed to verify certificate: x509: certificate signed by unknown authority

Repository URL

NC

Workflow run URL

NC

YAML workflow

jobs:
  publish:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: https://github.com/actions/checkout@v4
      - name: Set up Docker Buildx
        uses: https://github.com/docker/setup-buildx-action@v3
        with:
          config-inline: |
            [registry."example.test"]
              insecure = true            
      - name: Build and push Docker image
        uses: https://github.com/docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: "example.test/XXXXXXXX/XXXXXXXX:${{gitea.sha}}"

Workflow logs

#11 exporting to image #11 exporting layers #11 exporting layers 1.6s done #11 exporting manifest sha256:ef19229fa2ee4c403587ce9e0ae66c31e3de200e5521fe0c9b779adabbbcd8ee #11 exporting manifest sha256:ef19229fa2ee4c403587ce9e0ae66c31e3de200e5521fe0c9b779adabbbcd8ee done #11 exporting config sha256:c3468dcef81beb2ece64b44b2e1fdb47a1d003cf530b6194dbc8064e1d12ebde done #11 exporting attestation manifest sha256:a19f85616d6a061f5797ab870d2ca954f8db2fa3532cc7e6f2080d41c7cc448b done #11 exporting manifest list sha256:a6ceb3a8e5e7b0a8c90ae844a1970e6f4350a07617dfdfae7e779a3aa5c29028 done #11 pushing layers 0.0s done #11 ERROR: failed to push example.test/XXXXXXXX/XXXXXXXX:a639a35f04bf71babaee953d85e0380818b7822a: failed to authorize: failed to fetch anonymous token: Get "https://example.test/v2/token?scope=%2A%3A%3A&scope=repository%XXXXXXXX%2Ftest%XXXXXXXX%2Cpush&service=container_registry": tls: failed to verify certificate: x509: certificate signed by unknown authority

BuildKit logs

Additional info

Context:

  • Running on a runner provider by gitea on kubernetes 1.32.2

It seems that set insecure = true is not sufficient in the config-inline but not sure what is missing..

anthosz avatar Apr 06 '25 06:04 anthosz

Same problem, someone please look into it!

Titanomyrma avatar Apr 18 '25 12:04 Titanomyrma