“ docker pull”由未知权限签署的证书 [英] "docker pull" certificate signed by unknown authority
问题描述
我试图从docker注册表中提取docker映像,但遇到以下问题:
I was trying to pull a docker image from a docker registry but hit the following issue:
$ docker pull <docker registry>/<image name>/<tag>
Error response from daemon: Get <docker registry>/v1/_ping: x509: certificate signed by unknown authority
我尝试使用 curl并得到类似的错误消息:
I tried with "curl" and get a similar error message:
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
因此,我使用以下命令下载了CA证书并导入到服务器(RedHat Linux 7):
So I downloaded the CA certificate and imported to the server (RedHat Linux 7) with the following commands:
cp root_cert.cer /etc/pki/ca-trust/source/anchors/
update-ca-trust
导入根证书后,我可以看到 curl
工作正常,因为它不会抱怨证书错误,但是,如果我使用 docker pull
,我仍然会遇到同样的问题。 docker
是否使用与 curl
不同的ca-cert位置?在这种情况下,如何使用 docker pull
解决问题?
After the root cert is imported, I can see curl
is working fine as it won't complain the cert error, however if I use docker pull
I still have the same issue. Is docker
using different ca-cert location than curl
? How do I fix the issue with docker pull
in this situation?
推荐答案
您可能需要重新启动docker服务以获取它以检测OS证书中的更改。
You may need to restart the docker service to get it to detect the change in OS certificates.
Docker确实还有一个额外的位置,您可以用来信任单个注册表服务器CA。您可以将CA证书放在 /etc/docker/certs.d/<docker Registry> /ca.crt
中。如果在image标记中指定了端口号,例如在Linux中。
Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt
. Include the port number if you specify that in the image tag, e.g in Linux.
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
或在Windows 10中:
or in Windows 10:
C:\ProgramData\docker\certs.d\ca.crt
这篇关于“ docker pull”由未知权限签署的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!