Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,456,333
Community Members
 
Community Events
176
Community Groups

How to configure docker daemon with pipelines to trust a private certificate authority

Edited

Hi, 

I'm using bitbucket pipelines and try to configure a step to authenticate to my private registry deployed with a self-signed certificate.

but the following command returns : "x509: certificate signed by unknown authority"

docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD registry.my-company.com

On a linux-based normal build environnement, I normally use the method described there to specify my certificate authority : Docker registry - use self signed certificates which is :

  1. cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt update-ca-certificates
  2. Restart Docker daemon for the changes to take effect.

But with bitbucket pipelines I did not find the way to interact with docker daemon to tell him to use my certificate authority as it is started in a separate instance.

How to tell docker daemon to trust my certificate ? 

Here is my basic bitbucket-pipelines configuration file : 

image: atlassian/default-image:1
pipelines:
default:
- step:
services:
- docker
script:
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD registry.my-company.com

 Thank you for your kind help :)

6 answers

Hi Marc-Antoine,

have you found any workaround for that? Did you solve this issue somehow?

2 votes

Hi,

Pipelines provides no mechanism for restarting the Docker daemon. You're going to need to figure out a workaround that doesn't need to do this. Which the Docker documentation suggests there aren't any.

I'd suggest opening a ticket here to track being able to interact with the Docker daemon: https://bitbucket.org/site/master/issues/new

Unfortunately I can't think of any more specific guidance here.

Thanks,

Phil

Hi Phil,

Thank you for taking the time to answer! 

You confirmed my thought about the docker daemon.

Knowing that, as a workaround I am thinking to redeploy a docker repository proxy with a Lets-encrypt certificate following this kind of procedure.

Like that I just need to change my repository proxy, not the repository itself that stay private.

I will let you know if it works.

Thanks.

Hello, 

 

I am also getting same error "x509: certificate signed by unknown authority" when I am trying to connect my harbor registry from bitbucket pile line script. 

Please let me know is there any way to resolve this issue ?

 

script:
- docker login --username $HARBOR_USERNAME --password $HARBOR_PASSWORD registry.my-company.com

 

Thanks,

Koushik

I found a solution and thought it might be helpful for someone else who runs across this thread. You can add a CA to java inside the runner using this command:

/opt/java/openjdk/bin/keytool -import -trustcacerts -cacerts -file <ca_cert> -alias <name> -noprompt -storepass changeit

I share the /etc/ssl folder and have my ca placed inside that folder so the keytool can see the certificate.

If you are using a self hosted runner (currently in beta) you can resolve this simply by installing the required certificates on the host on which your runner runs.

Hi,

 I am also facing the same error "error "x509: certificate signed by unknown authority" with docker login in bitbucket pipeline 

Did anyone find any workaround?

it's 2021 and still no solution? Did atlassian let this one slip through the cracks? It seems like a feature a lot of people would want.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events