When I was working on securing docker registry, I followed the instructions but when run docker push I always get x509: certificate signed by unknown authority error, this means the self-signed certificate is not identified by docker daemon.

This time to get more detail information, need to check the docker daemon log.

How to Enable Debug Mode?

By default, the debug mode is off, check here to enable debugging section: https://docs.docker.com/config/daemon/

Edit the daemon.json file, which is usually located in /etc/docker/. You may need to create this file if it is not there.

1
2
3

{
  "debug": true
}

Then send a HUP signal to the daemon to cause it to reload its configuration. On Linux hosts, use the following command:

1	sudo kill -SIGHUP $(pidof dockerd)

Where is The Log?

https://stackoverflow.com/questions/30969435/where-is-the-docker-daemon-log

Ubuntu (old using upstart ) - /var/log/upstart/docker.log
Ubuntu (new using systemd ) - sudo journalctl -fu docker.service
Amazon Linux AMI - /var/log/docker
Boot2Docker - /var/log/docker.log
Debian GNU/Linux - /var/log/daemon.log
CentOS - /var/log/daemon.log | grep docker
CoreOS - journalctl -u docker.service
Fedora - journalctl -u docker.service
Red Hat Enterprise Linux Server - /var/log/messages | grep docker

In Red Hat, from /var/log/messages file I clearly see that the docker daemon pick certificate under /etc/docker/certs.d/<domain, no port number!> folder.

If your OS is using systemd, the journalctl command can help, but the output from container is also dumping here, see this issue: https://github.com/moby/moby/issues/23339.

You can filter it by (works fine in Red Hat):

1	journalctl -fu docker _TRANSPORT=stdout + OBJECT_EXE=docker