"docker pull" certificate signed by unknown authority
You may need to restart the docker service to get it to detect the change in OS certificates.
Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt
. Include the port number if you specify that in the image tag, e.g in Linux.
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
or in Windows 10:
C:\ProgramData\docker\certs.d\ca.crt
first create a file -
/etc/docker/daemon.json
than run the following to add certs
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt
works without restart
OR
import the cert to system like
save the cert to the file , like the command above (the port is crucial, no need for the protocol)
openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
copy it to /usr/local/share/ca-certificates/
sudo cp ca.crt /usr/local/share/ca-certificates/
run update-ca-certificates
sudo update-ca-certificates
restart docker !
Here is a quick solution:
- Edit or create the file /etc/docker/daemon.json and add insecure-registries :
example for docker.squadwars.org:
{ "insecure-registries" : ["docker.squadwars.org:443"]}
- Restart docker daemon
systemctl restart docker
- Create a directory with the same name of the host .
example for docker.squadwars.org:
mkdir -p /etc/docker/certs.d/docker.squadwars.org
- Get the certificate and save it to the created directory.
ex +ā/BEGIN CERTIFICATE/,/END CERTIFICATE/pā <(echo | openssl s_client -showcerts -connect docker.squadwars.org:443) -scq > /etc/docker/certs.d/docker.squadwars.org/docker_registry.crt