问题现象:
docker pull images拉取镜像正常
dockerfile中的from命令拉取镜像就会报出证书错误。报错信息如下:
[bjxtb@wj-kvm-test-jenkins-6-243 ceshi_dockerfile]$ docker build .
[+] Building 0.4s (3/3) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 273B 0.0s
=> ERROR [internal] load metadata for hub:10043/base_java/debian-jdk8-base:1.0.2 0.3s
=> [auth] base_java/debian-jdk8-base:pull token for hub:10043 0.0s
------
> [internal] load metadata for hub:10043/base_java/debian-jdk8-base:1.0.2:
------
Dockerfile:1
--------------------
1 | >>> FROM hub:10043/base_java/debian-jdk8-base:1.0.2
2 | WORKDIR /hskj/app
3 |
--------------------
ERROR: failed to solve: hub:10043/base_java/debian-jdk8-base:1.0.2: failed to resolve source metadata for hub.:10043/base_java/debian-jdk8-base:1.0.2: failed to authorize: failed to fetch oauth token: Post "https://hub:10043/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
尝试各种方法:
/etc/docker/daemon.json文件添加如下参数
insecure-registries
/etc/docker/certs.d/配置免密
两种往上常见方式都无果,最终找到一篇文章:
解决思路:把证书直接用openssl拉下来,然后加入到系统系统证书中,然后使用update-ca-certificates更新,最后重启docker服务,成功!!
方法1:
$ echo -n | openssl s_client -showcerts -connect dseasb33srnrn.cloudfront.net:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/cloudfront.crt
$ update-ca-certificatesUpdating certificates in /etc/ssl/certs... 1 added, 0 removed; done.Running hooks in /etc/ca-certificates/update.d....Adding debian:cloudfront.pemdone.done.
方法2:
$ echo -n | openssl s_client -showcerts -connect dseasb33srnrn.cloudfront.net:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /etc/ssl/certs/ca-certificates.crt
上面的方式之所以可以搞定大多数由于公司替换https证书造成的错误,是因为很多程序是使用系统默认的证书(路径)。
对于一些特殊的程序,比如python pip,不使用系统默认的证书,而是使用自己的路径,可以强制它使用*方式2*生成的证书。