Docker elastic 6 unknown authority

Elastic Stack Elasticsearch
1

Hello,

I'm struggling while pulling elastic 6.x images from elastic docker repository.
I get the message: https://docker.elastic.co/v2/: x509: certificate signed by unknown authority

I'm running the command on a linux Ubuntu server with following certificate configurations:

  • /etc/docker/certs.d/docker.elastic.co/dockerelasticco.crt

I also tried to place the certificate under

  • /usr/local/share/ca-certificates/ and then run sudo update-ca-certificates

It's not an elastic issue (more a docker one), but because I'm hitting elastic docker repo, the answer from docker is: "it's not our repository" :stuck_out_tongue:

Thanks for your help
Hugo

2

Hello!

Is there a particular reason you are adding a certificate under /etc/docker/certs.d?

As you probably know, by default, all docker * commands towards docker.elastic.co will use https and verify its authentication through the certificate of docker.elastic.co (openssl s_client -connect docker.elastic.co:443 | openssl x509 -text). The elastic docker registry will not accept non-https connections. So this communication is secure.

If you are trying to follow this docker article AFAIU it would be useful for running a custom registry with self signed certificates.

3

Hello,

Thank you for your reply. I tried to add certificate under /etc/docker/certs.d because of the docker documentation (the link you mentioned).

Because the CA used to create the dockerelasticco.crt is not recognized by my docker daemon, I got the message (from my post: unknown authority).
I'm wondering if there is a specific installation step recommended by Elastic in order to enable authority used to signed the elastic certificate for my docker installation.

It might be also an issue from my network (i.e. some firewall checks for https), however I want to make sure that everything is ok with my local configuration.

Thanks

4

Before mutating the default docker configuration, certificates etc. would it be possible that you ensure your ca-certificates deb package (you mentioned Ubuntu) is up to date, e.g. using sudo apt-get update && sudo apt-get install --only-upgrade ca-certificates?

If there's a newer version you'll need to restart the docker daemon afterwards. You also didn't mention which package and version of Docker you are using, e.g. docker-ce 17.12.1.

In general unless your operating system hasn't been updated for a long time (and as a result ca-certificates being really old), you should be able to just docker pull anything from www.docker.elastic.co with the defaults of docker package. We frequently test pulling the images across a number of operating systems without the need to customize anything.

5

Hey,

Thanks again.
Here is my global conf:

  • docker-ce: 17.12.1-ce
  • ubuntu: 16.04.4 LTS

Well, I've executed the ca-certificate upgrade but no certificate have been updated.

Based on what you mentioned, I think the issue might come from my configuration. I'll do more tests on another network and will let the forum know as soon as possible.

Regards

6

Hello,

I finally succeeded to download docker images from elastic.docker.com. It was because of my network security configuration (not allowed to hit https with certificate signed by an unknown authority).

Thanks for your help.

Best regards

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.