I’ve seen a lot of similar questions but none of the solutions seemed to work for my case.
I’m using an Ubuntu emulated on Windows with WSL2 and I’m trying to build a docker image from a dockerfile and I get the following error:
docker build --tag build_machine .
[+] Building 0.3s (3/3) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 4.77kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> ERROR [internal] load metadata for <some_url>/centos:7 0.2s
------
> [internal] load metadata for <some_url>/centos:7:
------
Dockerfile:2
--------------------
1 | # Set parent
2 | >>> FROM <some_url>/centos:7
3 |
4 | # Set working directory
--------------------
ERROR: failed to solve: <some_url>/centos:7: failed to do request: Head "https://<some_url>/v2/centos/manifests/7": tls: failed to verify certificate: x509: certificate signed by unknown authority
Where <some_url> is some corporate url that I’m not sure I could share here, but I don’t think it’s relevant anyway.
I don’t think to share the dockerfile itself would be of much help either, since as you may see by the log the failure happens at the very first FROM instruction.
I’ve read of several environment variables that I could set, but all seem to apply once the image is already generated, not at this early stage.
Is there any way to bypass certificate verification?
Thank you in advance.
I’ve tried to edit /etc/docker/daemon.json config file to disable tls verification, but then when I try to restart the docker daemon I get an error saying the configuration is not valid.
I suspect it’s because I don’t really know which certificate I’m supposed to provide.
In fact, I’ve also tried the following (with –tls option):
docker --tls build --tag build_machine .
ERROR: open /home/msalis/.docker/ca.pem: no such file or directory
At first, it looked like a progress but, when I tried to provided the certificated that was supposed to be, I got the following:
docker --tls build --tag build_machine .
ERROR: Cannot connect to the Docker daemon at tcp://localhost:2376. Is the docker daemon running?
2
Answers
Thank you very much! Here's the full summary of how I managed to solve my problem: I've tried the solution explained in https://docs.docker.com/registry/insecure/ but somehow I wasn't able to set the
"insecure-registries"correctly. I then tried downloading the certificates (in my case, two were needed, not only one) but, instead of copying them into/home/msalis/.docker/(as I thought when I saw the misleading trace: "ERROR: open /home/msalis/.docker/ca.pem: no such file or directory"), I've copied them into/usr/local/share/ca-certificates/. Then I've calledupdate-ca-certificatesas suggested and restarted docker. It all seemed to work, except this time I got the following:At this point, I've been told that I simply didn't have access to the corporate registry, so I switched to the standard one (i.e. changed
FROM <some_url>/centos:7to simplyFROM centos:7) but at the very least I managed to get past the VPN (which was indeed my initial problem). Thank you very much again, I'm quite new to this certificate stuff and just needed some direction.Mostly dupe "docker pull" certificate signed by unknown authority which points to https://docs.docker.com/registry/insecure/
No, that’s not progress, that’s a regression. When it can’t even try to connect to the daemon, that’s an error long before the daemon executes the FROM in the buildfile.
--tlsin the CLI applies to the connection between the CLI and the daemon; it has nothing at all to do with the connection(s) the daemon makes to registry(ies) to obtain an image as forFROMorpull. Unless you want (or need) to run the CLI remote from the daemon, using the default Unix socket or Windows namedpipe is easier than managing TLS or SSH connections.You need to either give the daemon the ‘CA’ certificate (I’m not sure if it requires the root specifically or just an anchor; SSL/TLS stacks vary on this, and I don’t have my own registry to test) or make the CA trusted on your (really the daemon’s) underlying system (for Ubuntu see
man update-ca-certificates) (and bounce the daemon, according to the link above) or configure the daemon to accept the registry as insecure; see https://docs.docker.com/engine/reference/commandline/dockerd/#insecure-registries and particularly https://docs.docker.com/registry/insecure/#use-self-signed-certificates .