Docker and LetsEncrypt

Published by Bill on (Updated: )

If you are running a private container registry and using a certificate provided by LetsEncrypt, make sure you are using fullchain.pem and not cert.pem. If you miss this, the Docker CLI will report that your certificate is signed by an unknown authority.

I have an instance of Harbor running as a private container registry. The certificate used by this instance is provided by LetsEncrypt and yet the Docker CLI refused to let me log in.

docker login harbor.tanzu.xyz

Gave me the following error.

INFO[0005] Error logging in to endpoint, trying next endpoint  error="Get \"https://harbor.tanzu.xyz/v2/\": x509: certificate signed by unknown authority"
Get "https://harbor.tanzu.xyz/v2/": x509: certificate signed by unknown authority

The fix was simple, but it wasn’t obvious and took me a while to track down. When you use certbot to provision certificates you are given a few different files.

ls /etc/letsencrypt/live/harbor.tanzu.xyz
README	cert.pem  chain.pem  fullchain.pem  privkey.pem

I had used cert.pem. The fix is to use fullchain.pem. The former includes your certificate. The latter includes your certificate along with the full trust chain. Browsers seem to be aware of the intermediary trust chain, but for some reason Docker isn’t. Once I switched to using the full trust chain I was able to log in using the Docker cli.