"docker pull" certificate signed by unknown authority

You may need to restart the docker service to get it to detect the change in OS certificates.

Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g in Linux.

/etc/docker/certs.d/my-registry.example.com:5000/ca.crt

or in Windows 10:

C:\ProgramData\docker\certs.d\ca.crt

• first create a file - /etc/docker/daemon.json

• than run the following to add certs

    openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt

works without restart

OR

import the cert to system like

• save the cert to the file , like the command above (the port is crucial, no need for the protocol)

   openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt

• copy it to /usr/local/share/ca-certificates/

   sudo cp ca.crt /usr/local/share/ca-certificates/

• run update-ca-certificates

   sudo update-ca-certificates

• restart docker !

Here is a quick solution:

• Edit or create the file /etc/docker/daemon.json and add insecure-registries :

example for docker.squadwars.org:

{    "insecure-registries" : ["docker.squadwars.org:443"]}

• Restart docker daemon

systemctl restart docker

• Create a directory with the same name of the host .

example for docker.squadwars.org:

mkdir -p /etc/docker/certs.d/docker.squadwars.org

• Get the certificate and save it to the created directory.

ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | openssl s_client -showcerts -connect docker.squadwars.org:443) -scq > /etc/docker/certs.d/docker.squadwars.org/docker_registry.crt