[build] x509: certificate signed by unknown authority

[nebiros]

Running:

lima nerdctl --insecure-registry=true compose --file=docker-compose.local.yml up --build

I got this error:

error: failed to solve: company.registry.com/golang:1.16-stretch: failed to do request: Head "https://company.registry.com/v2/golang/manifests/1.16-stretch": x509: certificate signed by unknown authority

Dockerfile.local

FROM company.registry.com/golang:1.16-stretch

ARG WORKSPACE

ENV VAULT_VERSION=1.8.2

RUN sed -i -e 's/^deb-src/#deb-src/' /etc/apt/sources.list \
    && export DEBIAN_FRONTEND=noninteractive \
    && apt-get update -y -q && apt-get upgrade -y -q \
    && apt-get install --no-install-recommends -y -q \
      wait-for-it \
      curl \
      unzip \
    && curl -sSL -o /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip \
    && unzip /tmp/vault.zip 'vault' -d /usr/local/bin \
    && rm /tmp/vault.zip

COPY ./certs/* /usr/local/share/ca-certificates/

RUN update-ca-certificates

WORKDIR ${WORKSPACE}

COPY go.mod go.sum ${WORKSPACE}/

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go mod download -x
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go install github.com/go-delve/delve/cmd/dlv@latest

COPY . ${WORKSPACE}

RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -race \
    -gcflags "all=-N -l" \
    -trimpath \
    -o /usr/local/bin/our-api \
    main.go

EXPOSE 40000
EXPOSE 3000

ENTRYPOINT ["./scripts/docker-local-entrypoint.sh"]

Weird this is that the pull command works:

❯ lima nerdctl --insecure-registry=true pull company.registry.com/golang:1.16-stretch
WARN[0000] skipping verifying HTTPS certs for "company.registry.com"
company.registry.com/golang:1.16-stretch:                       resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:78bc17c372a67b203f1e6f7005482ba0c46d7123f8d9586862e0e42e364fc087:    done           |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:eac5030e5669ba90a47a4dfc91655c14bbc4afbec0905ff8e264c82a76a5a520: done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:797cbb623b616c82047c57ca6db3740b0d60f3d6d62d6765a3f381129a930c6e:   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:06a1ec819ae274d76b79b00b06b87b4c80e093b94e376c857d5c6a91f47c5902:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4b5f175d1abbc6d4a7774bd2912a927aa78b90fb04fb43d591e3dda317c9bb96:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:7885553ee256f7f9d1dd3016c0fd0c72fcd46217439371e3e1f610af0d159004:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1c05d83e138cea8cb6ddd17442ab2138423db80e58408d93059f2ea25065952e:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:884ea03617543fd3eb6727d5dab474bcb8b11b5c36ff2783d442f32550770ff2:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:394ee1959bac9492a9fc64334844549eccd4274280678d81d6b5b19af703e2a6:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:22e09491e250a0b39b29730b3824ae3d3d87b50beca5ac2c13a654a3de356f7b:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 95.1s                                                                    total:  283.9  (3.0 MiB/s)

[AkihiroSuda]

Currently, --insecure-registry does not apply to build operations, because they are handled by buildkitd, not by containerd.

The solution is to create ~/.config/buildkit/buildkitd.toml (/etc/buildkit/buildkitd.toml for root) like this

# registry configures a new Docker register used for cache import or output.
[registry."docker.io"]
  mirrors = ["yourmirror.local:5000"]
  http = true
  insecure = true
  ca=["/etc/config/myca.pem"]
  [[registry."docker.io".keypair]]
    key="/etc/config/key.pem"
    cert="/etc/config/cert.pem"

# optionally mirror configuration can be done by defining it as a registry.
[registry."yourmirror.local:5000"]
  http = true

https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md

[walidmourou]

I am using Rancher Desktop (0.7.1) on Windows 10 Enterprise (under a big company). My command (test example) is:

nerdctl build -t nginx:nerd .

with this Docker file

# Dockerfile
FROM nginx:alpine
RUN echo 'Hello Nerdctl from containerd'

Despite, I created the ~/.config/buildkit/buildkitd.toml file with the proposed content, I still get the same error:

[+] Building 0.7s (3/3) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                                                     0.1s
 => => transferring dockerfile: 31B                                                                                                                                                                                                      0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                        0.1s
 => => transferring context: 2B                                                                                                                                                                                                          0.0s
 => ERROR [internal] load metadata for docker.io/library/nginx:alpine                                                                                                                                                                    0.6s
------
 > [internal] load metadata for docker.io/library/nginx:alpine:
------
error: failed to solve: failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head https://registry-1.docker.io/v2/library/nginx/manifests/alpine: x509: certificate signed by unknown authority
FATA[0000] unrecognized image format

I want to notice also that when I pull or run the image, it works fine.

[harshkotak]

I have the same issue.

[harshkotak]

Signing out from my company VPN fixed the issue. VPN was messing up the cert.

[walidmourou]

This issue is solved in the version v1.0.0

[codingbycoding]

--insecure-registry does apply to nerdctl pull but not apply to nerdctl build operations

try to add buildkitd.toml for buildkitd as following

/etc/buildkit/buildkitd.toml

[registry."your-container-registry.com"]
  http = true
  insecure = true

and don't forget to run systemctl restart buildkit