VCH unable to pull images using "docker pull" from docker hub
Article ID: 317021
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- While trying to pull an image from docker hub using the docker pull <image name> command, you see an error similar to the following:
Using default tag: latest
Error response from daemon: Head https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority
- VCH is configured to use a proxy server for internet connectivity
- The configured proxy server has SSL termination enabled, You can verify this using a command similar to curl -x <proxy URL> -v <Destination website URL> from any machine using the same proxy. In the output, look for Issuer details and you should see the proxy host details rather than actual Issuer of the certificate for that particular website
Environment
VMware vSphere Integrated Containers 1.5.x
Resolution
When VCH tries to pull an image from docker hub off the internet, the traffic passes through the proxy server. during the SSL termination process, the proxy server adds its own CA chain to the docker hub certificate. This CA chain is not recognized by the VCH.
To resolve this you need to reconfigure the VCH to use the proxy server's root CA chain as a registry CA. A command similar to the following can be used to reconfigure the VCH:
To resolve this you need to reconfigure the VCH to use the proxy server's root CA chain as a registry CA. A command similar to the following can be used to reconfigure the VCH:
vic-machine-operating_system configure
--target vcenter_server_address/dc1
--user [email protected]
--password password
--compute-resource cluster1
--registry-ca /home/admin/mycerts/ca.crt
--name vch1
--thumbprint certificate_thumbprint
--no-tlsverifyAdditional Information
Feedback
Yes
No
Powered by
