x509: certificate signed by unknown authority when using Rancher Desktop to push Docker images

If you are using Rancher Desktop, and the Moby CLI, and you are trying to push images to a private registry, you may receive the following error:

$ docker push private.registry.domain/my/image
Using default tag: latest
The push refers to repository [private.registry.domain/my/image]
Get "https://private.registry.domain/v2/": x509: certificate signed by unknown authority

If you receive this error, it is likely because the VM that underpins Rancher Desktop (lima) does not have the CA certificate used to sign the cert for your private registry. To fix this, follow these steps:

  1. Using rdctl, open a shell onto the VM.
    rdctl is found in ~/.rd/bin
    Execute rdctl shell to pop into the lima VM
  2. Once inside the VM, navigate to /usr/local/share/ca-certificates
  3. Copy the PEM-encoded contents of your root CA certificate into a new file in this directory. You can echo the contents and redirect (>) into a file, or use vi.
  4. Once this file is created, execute update-ca-certificates.
  5. Restart Docker on this VM by executing service docker restart

You should now be able to push images!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s