Pivotal Knowledge Base

Follow

Docker Login Error "certificate signed by unknown authority" with VMware Harbor and UAA

Environment

Pivotal Container Service (PKS): v1.0.0-build.3

VMware Harbor Registry: v1.4.1-build.1

Harbor Authentication Mode: UAA in Pivotal Container Service 

Symptom

When using docker client CLI to log on to the VMware Harbor Registry's correct FQDN Hostname:

Example: $ docker login myharbor.domain.com

It fails with error:

Error response from daemon: Get https://myharbor.domain.com/v2/: x509: certificate signed by unknown authority.

Cause

Your local client does not have the certificate in its keychain and/or the docker server/client is not using it.

Resolution

Follow the steps to resolve this issue:

Step 1: Locate your certificate for your VMware Harbor Registry from Operations Manager:

  1. Browse to the Ops Manager Dashboard. Click on the tile for VMware Harbor Registry.
  2. From the Settings tab, click on Certificate. Copy your certificate from the panel.
  3. Create a cert.pem file with the contents copied from above. Simply create this cert.pem file through a copy/paste of the CERTIFICATE copied.

The end result should be that your cert.pem file:

Starts with the following line:

-----BEGIN CERTIFICATE-----

And ends with the following line:

-----END CERTIFICATE----- 

Step 2: Then add that cert.pem to your Operating System's trust store

MAC OPTION (For Mac OS X only): If using both Docker App and the docker CLI on Mac OS X, you can add it to the keychain from the terminal:

$ security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ./cert.pem

MAC OPTION (Continued): Then Quit and restart your local Docker App 

Step 3: Now you retry logging in to VMware Harbor Registry:

$ docker login myharbor.domain.com

Comments

  • Avatar
    Sangdon Shin

    Thank you Kyle for the good article, it was really helpful!

Powered by Zendesk