Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
self signed certificates not working - "x509: certificate signed by unknown authority" error with private Docker repository
See original GitHub issueBehaviour
Steps to reproduce this issue
-
Create private Docker Registry with self signed certificates
-
Create Github runner with ca-certificate mounted into
/etc/docker/certs.d/docker-registry.actions-runner-system.svc\:5000/ca.crt, so that Docker can pull and push from a private registry with those certs -
Configure Github workflow yaml to use this certificate
- name: Setup docker context for buildx
id: buildx-context
run: docker context create builders || docker context use builders
- name: Copy ca cert
run: |
sudo cp /etc/docker/certs.d/docker-registry.actions-runner-system.svc\:5000/ca.crt /etc/ssl/certs/ca-certificates.crt
- name: Create BuildKit Configuration
run: |
cat <<EOF > buildkitd.toml
[registry."docker-registry.actions-runner-system.svc:5000"]
http = false
insecure = false
ca=["/etc/ssl/certs/ca-certificates.crt"]
EOF
- name: Setup Docker Buildx
id: setup_docker_buildx
uses: docker/setup-buildx-action@v1
with:
endpoint: builders
buildkitd-flags: --debug
config: buildkitd.toml
- name: Build and push (broker)
id: docker_build_broker
uses: docker/build-push-action@v2
with:
file: Dockerfile
push: false #deactivated for testing
tags: someOtherRegistry/app:test
cache-from: type=registry,ref=docker-registry.actions-runner-system.svc:5000/app:buildcache
cache-to: type=registry,ref=docker-registry.actions-runner-system.svc:5000/app:buildcache,mode=max
Expected behaviour
My expectation is that “setup-buildx-action” should take the ca-certs from the Runner and use them in the moby/buildkit:buildx-stable-1 Docker container, where the build-push-action is executed.
This is based on https://github.com/docker/buildx/pull/787#discussion_r734168450 - If I understood it correctly.
Actual behaviour
x509: certificate signed by unknown authority
Are my expectations are wrong or did I use some wrong configuration?
Issue Analytics
- State:
- Created 2 years ago
- Comments:13 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I don’t use github workflow or k8s so notation was not very clear. But yes I’ve managed to push the multi-arch image to secure repo. Created a
buildkitd.tomlfile and passed it while creating new buildx builder
Replace
ca=["/etc/ssl/certs/ca-certificates.crt"]withca=["/etc/pki/ca-trust/source/anchors/ca.crt"]for centos.Was still getting
x509: certificate signed by unknown authorityon other machines trying to pull push image directly (without buildx) to the registry, but that was due to certificate not being recognized event after commands below. Had to restart the machines for certificate to be recognized. Maybe logging in/out would be enough…Ubuntu:Centos:@erichorwath This has been fixed with https://github.com/docker/buildx/pull/787 and available since 0.7.0-rc1:
Let us know if it works. I will also open a PR to update our doc here when 0.7.0 is GA.