Why Does the docker pull Command Fail to Be Executed?

x509: certificate signed by unknown authority

Problem: When you run the docker pull command to pull an image from SWR, error message "x509: certificate signed by unknown authority" is displayed.

Possible causes:

• The container engine client communicates with SWR through HTTPS. The client verifies the server certificate. If the root certificate installed on the client is incomplete, the error message "x509: certificate signed by unknown authority" is displayed.
• A proxy is configured on the container engine client.

Solutions:

• If you trust the server, skip certificate authentication. Specifically, manually configure the container engine startup parameters using either of the following two methods. Replace Image repository address with the actual SWR repository address.
  • Add the following configuration to the /etc/docker/daemon.json file. If the file does not exist, manually create it. Ensure that two-space indents are used in the configuration.

    {
      "insecure-registries":["Image repository address"]
    }

  • /etc/sysconfig/docker:

    INSECURE_REGISTRY='--insecure-registry=Image repository address'

  After configuration, run the systemctl restart docker or service restart docker command to restart the container engine.

• Run the docker info command to check whether the proxy is correctly configured. If not, modify the configuration.

Error: remote trust data does not exist

Problem: When you run the docker pull command to pull an image from SWR, message "Error: remote trust data does not exist" is displayed.

Possible cause: The image signature verification is enabled on the client. However, the image to be pulled does not contain a signature layer.

Solution: Check whether the environment variable DOCKER_CONTENT_TRUST is set 1 in the /etc/profile file. If yes, change the value to 0 and run source /etc/profile for the setting to take effect.