Resolving x509: certificate signed by unknown authority

This error is encountered when a computer or client is not able to validate the SSL certificate presented to it from a remote host. If you're working in a corporate or private network with PKI infrastructure you will encounter this many many times if you're working with command line tools. The root cause is that your private network uses ceritificates signed by certificate authority that is not commonly known. The fix is to add the root certificate authority to the list of trusted certificates.

Edit: I have tested the same setup in Windows Subsystem for Linux 2 with Ubuntu.

The following guide was primarily in the context of setting up a private docker registry but the steps should be applicable generally in a Ubuntu Linux environment.

Background

I encountered this error when I was setting up a private registry that was secured by TLS. When I attempted to do docker login my.private.registry, I encountered an x509 error, something that I'm getting more and more friendly with.

Resolution

First you need to get the root certificate of your Certificate Authority. You can obtain this by clicking navigating a site that uses a TLS certificate from the same authority and clicking the lock icon (depending on your broswer). You have to download this file and save it. If the file is in PEM format you would want to convert it into CRT format. This step may be optional, but I have always done this. A quick google search will tell you how to do this using openssl.

Another way to do this is using the command line openssl tool. You will run something like this:

openssl s_client -showcerts -connect <registry_address>:<registry_port> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt

The important thing is that the file storing this certificate should be called ca.crt

Next you want to copy this certificate to /usr/local/share/ca-certificates/

cp ca.crt /usr/local/share/ca-certificates/

Finally, run the following to add/register the certificate on the local machine.

sudo update-ca-certificates

Now, restart the program that you were attempting to run and it should work.

Docker specific things

You may have to restart docker for the settings to take effect.

systemctl restart docker

OR

service docker restart

Docker only configuration

If you want to configure the trusted certificate for docker only, you can do the following.

cp ca.crt etc/docker/certs.d/<docker registry>/ca.crt

You may have to make sure that the directory certs.d and a directory that is named exactly as the url of your registry e.g. registry.domain.com exists.

References: