x509 certificate signed by unknown authority error, how to resolve it.
Recently i had a problem with a Docker installation, where i could not “pull” any image from a Docker registry, the error message when i…
Recently i had a problem with a Docker installation, where i could not “pull” any image from a Docker registry, the error message when i was trying to pull an image was “x509 certificate signed by unknown authority”, updating the OS with the latest CA certificates didnt resolve the issue and i had manually to download the CA certificate from the docker registry and place it in the certificates directory of my OS. Lets see how we can download the CA certificate using the openssl cli tool.
What a CA is
A certificate authority, also known as a certification authority, is a trusted organization that verifies websites (and other entities) so that you know who you’re communicating with online. Their objective is to make the internet a more secure place for organizations and users alike. This means that they play a pivotal role in digital security.
How a CA certificate works
A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA.
For example, example.com uses Let’s Encrypt to sign its servers, and SSL certificates sent by example.com mention they are signed by Let’s Encrypt. Your browser contains the CA certificate from Let’s Encrypt and so the browser can use that CA certificate to verify the example.com SSL certificates and make sure you are indeed talking to real server, not man-in-the-middle.
openssl syntax
This is the generic syntax on how to download a CA certificate using openssl
echo quit | openssl s_client -showcerts -servername <FQDN> -connect <Website>:443 > <ca_cert_file.pem>In my case the Docker registry was https://registry-1.docker.io/v2/ which translates to the following
echo quit | openssl s_client -showcerts -servername registry-1.docker.io -connect registry-1.docker.io:443 > ca.pemCopy CA certificate to the certificates directory
In my OS (Debian) the CA directory is /usr/local/share/ca-certificates/ which is probably the same for Debian derivatives like Ubuntu. To copy the CA Certificate use the following command
sudo cp ca_cert_file.pem /usr/local/share/ca-certificates/Then you need to run update-ca-certificates in order to update the CA store
sudo update-ca-certificatesConclusion
At first glance an error of “x509 certificate signed by unknown authority” can be very adjective and you might not not know how to start troubleshooting this, actually it took me more than one hour of trial and error in order to figure out what is going on and what is the solution.
