"docker pull" certificate signed by unknown authority

• first create an empty json file

  cat << EOF > /etc/docker/daemon.json
  { }
  EOF
  

• than run the following to add certs

  openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/[registry_address]/ca.crt
  

works without restart

OR

import the cert to system like

• save the cert to the file , like the command above (the port is crucial, no need for the protocol)

  openssl s_client -showcerts -connect [registry_address]:[registry_port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
  

• copy it to /usr/local/share/ca-certificates/

  sudo cp ca.crt /usr/local/share/ca-certificates/
  

• run update-ca-certificates

  sudo update-ca-certificates
  

• restart docker !

You may need to restart the docker service to get it to detect the change in OS certificates.

Docker does have an additional location you can use to trust individual registry server CA. You can place the CA cert inside /etc/docker/certs.d/<docker registry>/ca.crt. Include the port number if you specify that in the image tag, e.g in Linux.

/etc/docker/certs.d/my-registry.example.com:5000/ca.crt

or in Windows 10:

C:\ProgramData\docker\certs.d\ca.crt