Skip to content
Latchkey

Self-hosted registry "x509: certificate signed by unknown authority" in CI

The docker daemon could not validate the registry TLS certificate because its signing CA is not in the runner trust store. This hits private/self-hosted registries using an internal or self-signed CA. Install the CA into the daemon trust path rather than disabling TLS verification.

What this error means

docker pull or push to a private registry fails with "x509: certificate signed by unknown authority" during the TLS handshake.

docker
Error response from daemon: Get "https://registry.internal:5000/v2/":
x509: certificate signed by unknown authority

Common causes

The internal CA is not in the runner trust store

A registry served with a corporate or self-signed certificate has a CA the slim runner image does not trust.

Missing per-registry cert for the docker daemon

The daemon looks for a CA under /etc/docker/certs.d/<host>/ and finds none, so verification fails.

How to fix it

Install the registry CA for the daemon

  1. Obtain the registry CA certificate.
  2. Place it at /etc/docker/certs.d/<host>:<port>/ca.crt.
  3. Restart docker (or it picks it up per-registry) and retry.
Terminal
sudo mkdir -p /etc/docker/certs.d/registry.internal:5000
sudo cp ca.crt /etc/docker/certs.d/registry.internal:5000/ca.crt

Add the CA to the system trust store

For buildx/containerd and other clients, also install the CA system-wide.

Terminal
sudo cp ca.crt /usr/local/share/ca-certificates/registry-ca.crt
sudo update-ca-certificates

How to prevent it

  • Bake the internal registry CA into custom runner images.
  • Use certificates from a CA the runners already trust.
  • Avoid insecure-registry workarounds in favor of proper trust.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →