Skip to content

Getting x509: certificate signed by unknown authority while uploading image to Suse Private Registry

Article Number: 000022095

Environment

  • SUSE Private Registry

Situation

  • Whenever we try to push an image to the SUSE Private registry, we get the following error :
"Get "https://core.harbor.domain/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "harbor-ca")"

Cause

  • The error occurs when the client (e.g., Docker, containerd) does not trust the certificate authority (CA) that signed Harbor’s certificate.

Resolution

  • Log in to the SUSE private registry web interface and download the 'Registry Certificate' under the project.

  • Once downloaded, SSH to the node where the private registry is configured or to the node from where you are uploading the images and upload the `ca.crt` certificate by following the commands below :
a) Upload downloaded ca.crt certificate to the server node : 
   #cp ca.crt /usr/local/share/ca-certificates/

b) Update the ca certificates on the server node : 
    #update-ca-certificates 
  output : 
      Updating certificates in /etc/ssl/certs...
      0 added, 0 removed; done. 
      Running hooks in /etc/ca-certificates/update.d...
      done.

c) systemctl restart docker (if using docker service)

This results in the CA cert being trusted system-wide.