Self-hosted registry "x509: certificate signed by unknown authority" in CI
The docker daemon could not validate the registry TLS certificate because its signing CA is not in the runner trust store. This hits private/self-hosted registries using an internal or self-signed CA. Install the CA into the daemon trust path rather than disabling TLS verification.
What this error means
docker pull or push to a private registry fails with "x509: certificate signed by unknown authority" during the TLS handshake.
Error response from daemon: Get "https://registry.internal:5000/v2/":
x509: certificate signed by unknown authorityCommon causes
The internal CA is not in the runner trust store
A registry served with a corporate or self-signed certificate has a CA the slim runner image does not trust.
Missing per-registry cert for the docker daemon
The daemon looks for a CA under /etc/docker/certs.d/<host>/ and finds none, so verification fails.
How to fix it
Install the registry CA for the daemon
- Obtain the registry CA certificate.
- Place it at /etc/docker/certs.d/<host>:<port>/ca.crt.
- Restart docker (or it picks it up per-registry) and retry.
sudo mkdir -p /etc/docker/certs.d/registry.internal:5000
sudo cp ca.crt /etc/docker/certs.d/registry.internal:5000/ca.crtAdd the CA to the system trust store
For buildx/containerd and other clients, also install the CA system-wide.
sudo cp ca.crt /usr/local/share/ca-certificates/registry-ca.crt
sudo update-ca-certificatesHow to prevent it
- Bake the internal registry CA into custom runner images.
- Use certificates from a CA the runners already trust.
- Avoid insecure-registry workarounds in favor of proper trust.