Cert issue with cloudflare when pulling images

[claytontstevenson]

A bit of an issue came up with the Vagrant quickstart option here. For background this was working correctly until some recent cloudflare maintenance. I noticed this issue beginning last week.

When running the command to start up the vagrant boxes it starts working correctly until the attempt at pulling images, at which point there is a cert error as seen here:

    server-01: + for image in $curlimage $jqimage "rancher/rancher:${rancher_version}"
    server-01: + docker inspect appropriate/curl
    server-01: + docker pull appropriate/curl
    server-01: Using default tag: latest
    server-01: latest: Pulling from appropriate/curl
    server-01: ff3a5c916c92: Pulling fs layer
    server-01: 3151abf94102: Pulling fs layer
    server-01: 58ae3cb4aac4: Pulling fs layer
    server-01: error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/d3/d37e1f717dc01df3a838955d29a149c569352c0991b1d7cf11b4ebca8c6c7f55/data?verify=1713529598-3jnBGyH9b626%2F1MRY0zJYJAd8Ng%3D: x509: certificate has expired or is not yet valid
    server-01: + sleep 2
    server-01: + docker inspect appropriate/curl

I checked the time on the VM to make sure and it seemed to be correct. Pulling these images on my local machine which is running virtualbox results in no error which is why this appears to be something in the vm.

I'm happy to provide any additional logs or information here

[robertsirc]

Can you link the quick start guide? I know there are a few out there and I want to make sure it is up-to-date

[claytontstevenson]

This is the one I was following: https://ranchermanager.docs.rancher.com/getting-started/quick-start-guides/deploy-rancher-manager/vagrant

Which this is more or less the same instructions as in the readme for the repo https://github.com/rancher/quickstart/tree/master/rancher/vagrant

[orsi-dev]

i m facing the same issue for days and i've found a workaround for that. You should set the daemon.json ( /etc/docker/daemon.json on rancherOs ) docker file with a registry mirror like that:

{ "registry-mirrors": ["https://registry.hub.docker.com/"] }

[vonBork]

The certificate of cloudflare is fine. I checked it via openssl.

openssl s_client -connect production.cloudflare.docker.com:443 | openssl x509 -dates -noout
Warning: Reading certificate from stdin since no -in or -new option is given
Connecting to 104.16.98.215
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X2
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E1
verify return:1
depth=0 CN=production.cloudflare.docker.com
verify return:1
notBefore=Apr 10 23:38:51 2024 GMT
notAfter=Jul  9 23:38:50 2024 GMT

I guess the certificates of the base image might got old. It might helps updating the base Image.