Skip to content
Latchkey

Kubernetes image pull "x509: certificate signed by unknown authority" in CI

When pulling from a registry served with a private or self-signed certificate, the node container runtime validates TLS against its trust store. If the registry CA is not installed on the node, the pull fails with x509 unknown authority.

What this error means

kubectl describe pod shows the pull failing with Failed to pull image ... x509: certificate signed by unknown authority. The pod stays in ImagePullBackOff.

kubectl
Failed to pull image "registry.internal/api:1.0": ... x509: certificate
signed by unknown authority

Common causes

Registry CA not in the node trust store

A private/self-signed registry CA is not installed where containerd/CRI reads certs on the nodes.

Incomplete certificate chain

The registry serves a leaf cert without its intermediate, so the chain does not validate.

How to fix it

Install the registry CA on the nodes

Place the CA where the container runtime expects it (containerd certs.d) and reload.

Terminal
# on each node (or via DaemonSet/MachineConfig):
sudo mkdir -p /etc/containerd/certs.d/registry.internal
sudo cp ca.crt /etc/containerd/certs.d/registry.internal/ca.crt

Fix the cert chain or registry config

  1. Serve the full chain (leaf + intermediates) from the registry.
  2. Confirm the registry hostname matches the certificate SAN.
  3. Re-deploy and confirm the pull succeeds.

How to prevent it

  • Distribute the registry CA to all nodes via the node image or a config DaemonSet.
  • Use a publicly trusted certificate for the registry where possible.
  • Always serve the complete certificate chain.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →