I'm struggling while pulling elastic 6.x images from elastic docker repository.
I get the message: https://docker.elastic.co/v2/: x509: certificate signed by unknown authority
I'm running the command on a linux Ubuntu server with following certificate configurations:
Is there a particular reason you are adding a certificate under /etc/docker/certs.d?
As you probably know, by default, all docker * commands towards docker.elastic.co will use https and verify its authentication through the certificate of docker.elastic.co (openssl s_client -connect docker.elastic.co:443 | openssl x509 -text). The elastic docker registry will not accept non-https connections. So this communication is secure.
If you are trying to follow this docker article AFAIU it would be useful for running a custom registry with self signed certificates.
Thank you for your reply. I tried to add certificate under /etc/docker/certs.d because of the docker documentation (the link you mentioned).
Because the CA used to create the dockerelasticco.crt is not recognized by my docker daemon, I got the message (from my post: unknown authority).
I'm wondering if there is a specific installation step recommended by Elastic in order to enable authority used to signed the elastic certificate for my docker installation.
It might be also an issue from my network (i.e. some firewall checks for https), however I want to make sure that everything is ok with my local configuration.
Before mutating the default docker configuration, certificates etc. would it be possible that you ensure your ca-certificates deb package (you mentioned Ubuntu) is up to date, e.g. using sudo apt-get update && sudo apt-get install --only-upgrade ca-certificates?
If there's a newer version you'll need to restart the docker daemon afterwards. You also didn't mention which package and version of Docker you are using, e.g. docker-ce 17.12.1.
In general unless your operating system hasn't been updated for a long time (and as a result ca-certificates being really old), you should be able to just docker pull anything from www.docker.elastic.co with the defaults of docker package. We frequently test pulling the images across a number of operating systems without the need to customize anything.
Well, I've executed the ca-certificate upgrade but no certificate have been updated.
Based on what you mentioned, I think the issue might come from my configuration. I'll do more tests on another network and will let the forum know as soon as possible.
I finally succeeded to download docker images from elastic.docker.com. It was because of my network security configuration (not allowed to hit https with certificate signed by an unknown authority).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
