Skip to content

x509: certificate signed by unknown authority push to local registry #436

Closed
docker/buildx
#787
Closed
x509: certificate signed by unknown authority push to local registry#436
docker/buildx
#787
Labels
kind/upstreamChanges need to be made on upstream project
@Erriez

Description

@Erriez
Erriez
opened on Aug 17, 2021

Behaviour

Steps to reproduce this issue

Create Github Action CI to login to a local self-hosted Docker registry running a container with SSL and user authentication.
Build images and push to the local registry. Only docker/build-push-action@v2 complains about x509 unknown authority while it works when pushing directly with docker push command.

      - name: Copy cert to trust local registry
        shell: bash
        run: ./cert.sh

      - name: Login to self-hosted registry
        uses: docker/login-action@v1 
        with:
          registry: a00.fritz.box
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Build image
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          context: .
          file: Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          load: false
          no-cache: false
          tags: a00.fritz.box/alpine-dummy:master
# Make sure local registry container with cert is configured as described on: https://docs.docker.com/registry/deploying/

# Run act https://github.com/nektos/act
$ act -s DOCKER_USERNAME=username -s DOCKER_TOKEN=password

cert.sh

#!/bin/bash

# Workaround script to copy cert to container as described on: https://docs.docker.com/registry/insecure/
# Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.

mkdir -p /etc/docker/certs.d/a00.fritz.box
mkdir -p /etc/docker/certs.d/a00.fritz.box:5000

sudo cp ca.crt /etc/docker/certs.d/a00.fritz.box/ca.crt
sudo cp ca.crt /etc/docker/certs.d/a00.fritz.box:5000/ca.crt
sudo cp ca.crt /usr/local/share/ca-certificates/a00.fritz.box.crt
sudo cp ca.crt /usr/local/share/ca-certificates/a00.fritz.box:5000.crt
cat /etc/docker/certs.d/a00.fritz.box:5000/ca.crt
update-ca-certificates

Output

| #6 pushing layers 0.0s done
| #6 ERROR: failed to do request: Head "https://a00.fritz.box/v2/alpine-dummy/blobs/sha256:1fb7c5c6c72df48c396ed61d2928a3dc0b5b936d9f1634d63071d0c0a3c488fa": x509: certificate signed by unknown authority
| ------
|  > exporting to image:
| ------
| error: failed to solve: failed to do request: Head "https://a00.fritz.box/v2/alpine-dummy/blobs/sha256:1fb7c5c6c72df48c396ed61d2928a3dc0b5b936d9f1634d63071d0c0a3c488fa": x509: certificate signed by unknown authority
[CI/Build image]   ❗  ::error::buildx failed with: error: failed to solve: failed to do request: Head "https://a00.fritz.box/v2/alpine-dummy/blobs/sha256:1fb7c5c6c72df48c396ed61d2928a3dc0b5b936d9f1634d63071d0c0a3c488fa": x509: certificate signed by unknown authority
[CI/Build image]   ❌  Failure - Build image
Error: exit with `FAILURE`: 1

Expected behaviour

Identical behavior which works without complaining about the certificate:

      - name: Publish to local registry
        run: |
          docker login a00.fritz.box
          docker push a00.fritz.box/alpine-dummy:master
          # All success!
name: CI
on:
  push:
    branches:
      - master

jobs:
  build:
    name: Build image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v1

      - name: Copy cert to trust local registry
        shell: bash
        run: ./cert.sh

      - name: Login to self-hosted registry
        uses: docker/login-action@v1 
        with:
          registry: a00.fritz.box
          username: testuser # ${{ secrets.DOCKER_USERNAME }}
          password: testpassword # ${{ secrets.DOCKER_TOKEN }}

      - name: Build image
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          context: .
          file: Dockerfile
          platforms: linux/amd64 #,linux/arm64
          push: true
          load: false
          no-cache: false
          tags: a00.fritz.box/alpine-dummy:master

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/upstreamChanges need to be made on upstream project

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions