[SOLVED] Failed to pull image with “x509: certificate signed by unknown authority” error


This Content is from Stack Overflow. Question asked by maantarng

I am using k3s kubernetes, and Harbor as a private container registry. I use a self-sign cert in Harbor. And I have a sample image in Harbor, which I want to create a sample pod in Kubernetes using this private Harbor image.

I created a file call testPod.yml with the following content to create the pod:

apiVersion: v1
kind: Pod
  name: test
    - name: test
      image: harbor-server/t_project/test:001
    - name: testcred

However, there is an error after I applied this yml file, x509: certificate signed by unknow authority, which is shown below:

Name:         test
Namespace:    default
Priority:     0
Node:         server/
Start Time:   Thu, 07 Jul 2022 15:20:32 +0800
Labels:       <none>
Annotations:  <none>
Status:       Pending
    Container ID:   
    Image:          harbor-server/t_project/test:001
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ImagePullBackOff
    Ready:          False
    Restart Count:  0
    Environment:    <none>
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-47cgb (ro)
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  19s               default-scheduler  Successfully assigned default/test to server
  Normal   BackOff    19s               kubelet            Back-off pulling image "harbor-server/t_project/test:001"
  Warning  Failed     19s               kubelet            Error: ImagePullBackOff
  Normal   Pulling    4s (x2 over 19s)  kubelet            Pulling image "harbor-server/t_project/test:001"
  Warning  Failed     4s (x2 over 19s)  kubelet            Failed to pull image "harbor-server/t_project/test:001": rpc error: code = Unknown desc = failed to pull and unpack image "harbor-server/t_project/test:001": failed to resolve reference "harbor-server/t_project/test:001": failed to do request: Head "https://harbor-server:443/v2/t_project/test/manifests/001?ns=harbor-server": x509: certificate signed by unknown authority
  Warning  Failed     4s (x2 over 19s)  kubelet            Error: ErrImagePull

How to solve this x509 error? Is there any step that I have missed?


The CA’s certificate needs to be trusted first.

Put the CA into the host system’s trusted CA’s chain. Run the following command.

sudo mkdir -p /usr/local/share/ca-certificates/myregistry
sudo cp registry/myca.pem /usr/local/share/ca-certificates/myregistry/myca.crt
sudo update-ca-certificates

Notice, the cert on the specific directory have to be named with crt extension. restart the K3s service to let the change in effect.

Answered by Vad1mo
This Question and Answer are collected from stackoverflow and tested by JTuto community, is licensed under the terms of CC BY-SA 4.0.

people found this article helpful. What about you?