for-mac icon indicating copy to clipboard operation
for-mac copied to clipboard
verified publisher icon docker

Buildx do not take private registry CA

Open fboranek opened this issue 2 years ago • 1 comments

Description

I have installed CA for private registry and it works well with docker. However if using buildx plugin I gets error:

 tls: failed to verify certificate: x509: certificate signed by unknown authority

Reproduce

  1. verify if your CA is right installed Ca in PEM format

    <HOME>/.docker/certs.d/<REGISTRY ADDRESS>/ca.crt

    pull command is succesfull

    docker pull <REGISTRY ADDRESS>/baseimage/debian:bullseye-stable
bullseye-stable: Pulling from baseimage/debian
Digest: sha256:3fda0f4c6ae0e6e5b083cf73e6335e53daea654a36333489aea76417e7891702
Status: Image is up to date for <REGISTRY ADDRESS>/baseimage/debian:bullseye-stable
<REGISTRY ADDRESS>/baseimage/debian:bullseye-stable

What's Next?
  View a summary of image vulnerabilities and recommendations → docker scout quickview <REGISTRY ADDRESS>/baseimage/debian:bullseye-stable

  2. try build image with that image above as base and you get error

    docker compose -f /Volumes/W/seznam/ad-templates-server/docker-compose.yml build
[+] Building 0.5s (3/3) FINISHED                                       docker-container:youthful_curie
 => [server internal] booting buildkit                                 0.4s
 => => starting container buildx_buildkit_youthful_curie0              0.4s
 => [server internal] load build definition from Dockerfile            0.0s
 => => transferring dockerfile: 2.47kB                                 0.0s
 => ERROR [server internal] load metadata for <REGISTRY ADDRESS>/baseimage/debian:bullseye-stable   0.0s
------
 > [server internal] load metadata for <REGISTRY ADDRESS>/baseimage/debian:bullseye-stable:
------
failed to solve: <REGISTRY ADDRESS>/baseimage/debian:bullseye-stable: failed to do request: Head "https://<REGISTRY ADDRESS>/v2/baseimage/debian/manifests/bullseye-stable": tls: failed to verify certificate: x509: certificate signed by unknown authority
make: *** [docker] Error 1

Expected behavior

I don't need to use workaround from stackoverflow https://stackoverflow.com/questions/72894189/docker-buildx-build-failing-when-referring-repo-with-tls-certificate-signed-wi

The answer which works for me:

  1. Create a buildkitd.toml and configure your private CA certificate:
[registry."your.dockerimagehost.example"]
  ca=["/home/downloads/mycacert.pem"]
  1. create a docker builder
docker buildx create --use --config buildkitd.toml
  1. then your build command should work

docker version

Client:
 Cloud integration: v1.0.35+desktop.5
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

docker info

Client:
 Version:    24.0.6
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.5
    Path:     /Users/fboranek/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.23.0-desktop.1
    Path:     /Users/fboranek/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/fboranek/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/fboranek/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.9
    Path:     /Users/fboranek/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/fboranek/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/fboranek/.docker/cli-plugins/docker-scan
  scout: Docker Scout (Docker Inc.)
    Version:  v1.0.9
    Path:     /Users/fboranek/.docker/cli-plugins/docker-scout

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 7
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.4.16-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 12
 Total Memory: 7.758GiB
 Name: linuxkit-16a18bd37c1a
 ID: acfe7259-9ec9-4958-8bdb-eddb70cab717
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

10544E90-9426-48DA-9133-DAF0BC293AB8/20231128171851

Additional Info

No response

fboranek avatar Nov 28 '23 17:11 fboranek

running into this as well

z-aki avatar Sep 19 '24 12:09 z-aki

just ran into this as well, macOS

kbrilla avatar Jul 22 '25 12:07 kbrilla