Pivotal Knowledge Base


Docker login cannot Validate Certificate error with VMware Harbor and UAA


  • Pivotal Container Service (PKS) v1.0.0-build.3
  • VMWare Harbor Registry: v1.4.1-build.1
  • Harbor Authentication Mode: UAA in Pivotal Container Service
  • Docker client: 17.12.0-ce 


When using docker client CLI to login to the VMware Harbor Registry's IP address as "$ docker login X.X.X.X" as an example, it fails with the following error:

"cannot validate certificate for X.X.X.X because it doesn't contain any IP SANs   


The certificate generated for the Harbor VM is generated for the FQDN Hostname of the Harbor instance. As can be seen from Pivotal Cloud Foundry Operations Manager as you navigate to to VMware Harbor Registry from Operations Manager Dashboard like mentioned below:

From Operations Managers Dashboard go to VMware Harbor Registry, then go to Settings, and select General.

The certificate used, can be seen by going to the Operations Manager Dashboard, navigate to VMware Harbor Registry, go to Credentials and select Server Cert Key.

However, you cannot find the IP address the same way.


Follow the steps to resolve this issue:

  1. Confirm the FQDN Hostname being used for the Harbor Registry (see above).
  2. Get the correct DNS entry added to your organization's DNS servers. 

If the above is not possible:

Then add an entry to your /etc/hosts file with IP of the Harbor Registry instance




   3. Now use the FQDN for docker client

$ docker login FQDN


Powered by Zendesk