skip to Main Content

I have been working at setting up a docker notary on a Centos 8 machine. I followed the README.md for the notary project which tells me to use the testing certificate the project
comes with by moving it to the .notary folder in my home directory. My hope here is that when my docker client is setup for it and when I properly tag the image a docker push to my private docker repo (jFrog Artifactory) would result in a published image that is signed by the notary.

My private repo is running on its own machine and not on the machine where the notary server is running.

But every time I go for the push I get this error:

Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate signed by unknown authority

One of the ways I tried to fix this is by copying over the test certificates from fixtures/root-ca.crt to /etc/pki/ca-trust/source/anchors/ after which I ran update-ca-trust.

$ sudo cp fixtures/root-ca.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust

But doing this also didn’t help. Why is the notary server throwing this error? Help to resolve this would be greatly appreciated.

4

Answers


  1. I haven’t had issues working on Azure container registry.
    Working on Jfrog registry, I had same error

    Your work around helped me

    $ sudo cp fixtures/root-ca.crt /etc/pki/ca-trust/source/anchors/
    $ update-ca-trust

    If it helps I can post my steps
    Thanks @RijoSimon

    Login or Signup to reply.
  2. Rijo my solution is not complete because This doesn’t work on remote server, facing an error

    Error: error contacting notary server: x509: certificate is valid for 127.0.0.1, not xx.xx.xx.xx(notaryIP)
    

    Here is my solution where was able to sign image locally on the notary server and push it

    Docker login artifactoryurl 
    username:
    password: 
    Login successful 
    docker trust key generate keyname 
    export DOCKER_CONTENT_TRUST=0
    docker build -f Dockerfile -t artrifactoryurl/reponame:tag .           
    export DOCKER_CONTENT_TRUST_SERVER=http://127.0.0.1:4443   
    export DOCKER_CONTENT_TRUST=1  
    docker trust signer add —key keyname.pub name artifactoryurl/repo
    docker trust sign artifactoryurl/reponame:tag
    docker inspect artifactoryurl/reponame:tag
    

    Hope it helps 😊

    Login or Signup to reply.
  3. With docker content trust, you can add the CA to the user’s home directory in a subdirectory under ~/.docker/tls:

    mkdir -p ~/.docker/tls/${content_trust_hostname}
    cp ca.pem ~/.docker/tls/${content_trust_hostname}/ca.crt
    export DOCKER_CONTENT_TRUST=1
    docker push ${content_trust_hostname}/${your_repo}:${tag}
    

    Note that the certificate likely needs to end with "crt" and if you don’t override the content trust server, the hostname will match the registry name.

    Login or Signup to reply.
  4. notary server: x509: certificate is valid for 127.0.0.1, not xx.xx.xx.xx(notaryIP)

    This error is because the certificate that delivered with notary server is only valid for notary-server, notaryserver, localhost. To make it work with your remote domain, you have to get a CA that work for your ip/domain.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search