When I was working on securing docker registry, I followed the instructions but when run docker push
I always get x509: certificate signed by unknown authority
error, this means the self-signed certificate is not identified by docker daemon.
This time to get more detail information, need to check the docker daemon log.
How to Enable Debug Mode?
By default, the debug mode is off, check here to enable debugging section: https://docs.docker.com/config/daemon/
Edit the daemon.json
file, which is usually located in /etc/docker/
. You may need to create this file if it is not there.
1 | { |
Then send a HUP
signal to the daemon to cause it to reload its configuration. On Linux hosts, use the following command:
1 | sudo kill -SIGHUP $(pidof dockerd) |
Where is The Log?
https://stackoverflow.com/questions/30969435/where-is-the-docker-daemon-log
1 | Ubuntu (old using upstart ) - /var/log/upstart/docker.log |
In Red Hat, from /var/log/messages
file I clearly see that the docker daemon pick certificate under /etc/docker/certs.d/<domain, no port number!>
folder.
If your OS is using systemd
, the journalctl
command can help, but the output from container is also dumping here, see this issue: https://github.com/moby/moby/issues/23339.
You can filter it by (works fine in Red Hat):
1 | journalctl -fu docker _TRANSPORT=stdout + OBJECT_EXE=docker |