“ docker pull”由未知权限签署的证书 [英] "docker pull" certificate signed by unknown authority

问题描述

我试图从docker注册表中提取docker映像，但遇到以下问题：

I was trying to pull a docker image from a docker registry but hit the following issue:

$ docker pull <docker registry>/<image name>/<tag> 
Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority

我尝试使用 curl并得到类似的错误消息：

I tried with "curl" and get a similar error message:

 curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.

因此，我使用以下命令下载了CA证书并导入到服务器（RedHat Linux 7）：

So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:

cp root_cert.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust

导入根证书后，我可以看到 curl 工作正常，因为它不会抱怨证书错误，但是，如果我使用 docker pull ，我仍然会遇到同样的问题。 docker 是否使用与 curl 不同的ca-cert位置？在这种情况下，如何使用 docker pull 解决问题？

After the root cert is imported, I can see curl is working fine as it won't complain the cert error, however if I use docker pull I still have the same issue. Is docker using different ca-cert location than curl? How do I fix the issue with docker pull in this situation?

推荐答案

您可能需要重新启动docker服务以获取它以检测OS证书中的更改。

You may need to restart the docker service to get it to detect the change in OS certificates.

Docker确实还有一个额外的位置，您可以用来信任单个注册表服务器CA。您可以将CA证书放在 /etc/docker/certs.d/<docker Registry> /ca.crt 中。如果在image标记中指定了端口号，例如在Linux中。

Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g in Linux.

/etc/docker/certs.d/my-registry.example.com:5000/ca.crt

或在Windows 10中：

or in Windows 10:

C:\ProgramData\docker\certs.d\ca.crt

这篇关于“ docker pull”由未知权限签署的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！