Make sure that you have added the certs by moving the root CA cert file into /usr/local/share/ca-certificates and then running sudo update-ca-certificates.
The first step for fixing the issue is to restart the docker so that the system can detect changes in the OS certificates. The docker has an additional location that we can use to trust individual registry server CA. The CA certificate needs to be placed in:
/etc/docker/certs.d/<docker registry>/ca.crt
If we need to include the port number, we need to specify that in the image tag. Eg:
/etc/docker/certs.d/my-registry.example.com:5000/ca.crt
If the above solution does not fix the issue, the following steps needs to be carried out –
X509 errors usually indicate that you are attempting to use a self-signed certificate without configuring the Docker daemon correctly
1: Create a file /etc/docker/daemon.json and add insecure-registries
{
“insecure-registries” : [“docker.domain.com:3000”]
}
Replace “docker.domain.com” with your Docker Registry instance hostname, and the port “3000”, with the port your Docker Registry is running on.
With insecure registries enabled, Docker goes through the following steps:
- First, try using HTTPS.
- If HTTPS is available but the certificate is invalid, ignore the
error about the certificate. If HTTPS is not available, fall back to
HTTP.
2: Restart the docker daemon by executing the command
systemctl restart docker
3: Create a directory with the same name as the host
mkdir -p /etc/docker/certs.d/docker.domain.com
4: Save the certificate in the newly created directory
ex +’/BEGIN CERTIFICATE/,/END CERTIFICATE/p’ <(echo | OpenSSL s_client -show certs -connect docker.domain.com:443) -suq > /etc/docker/certs.d/docker.domain.com/docker_registry.crt
- If you’re pulling an image from a private registry, make sure that
you’ve created a Secret containing the credentials you need to
access. Also make sure that you’ve added the Secret in the
appropriate namespace.
- You’ll also need to set the imagePullSecrets field on your Pod.
This field tells Kubernetes which Secret it should use, when
authenticating to the registry.