x509: certificate signed by unknown authority
A Go-based program — the Docker daemon, kubelet, or your own app — couldn’t trace the server’s certificate to a CA it trusts. Either an intermediate is missing, the CA is private, or the container has no CA bundle.
Common causes
- The container or host has no (or a stale) CA-certificates bundle — typical in
scratchandalpineimages. - The server omits its intermediate certificate, breaking the chain to a trusted root.
- The registry or endpoint uses a private or self-signed CA the daemon doesn’t trust.
- A corporate TLS-inspecting proxy injects its own root certificate.
How to fix it
- 1
Confirm the served chain is complete from a machine that has openssl:
openssl s_client -connect registry.example.com:443 -showcerts </dev/null - 2
Add a CA bundle to the image or host. For Alpine or Debian install the package; for a Go
scratchimage, copy the roots in from a build stage:# Alpine apk add --no-cache ca-certificates # Debian/Ubuntu apt-get update && apt-get install -y ca-certificates # Go scratch image (copy roots from a build stage) COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt - 3
For a private registry CA, install it where the Docker daemon looks, then restart Docker. (This fixes the Docker daemon’s own registry pulls; for containerd/Kubernetes nodes use
/etc/containerd/certs.d/<host>/hosts.tomlor add the CA to the host trust store, and for a Go app *inside* a container fix the app’s trust store, not the daemon’s.)sudo mkdir -p /etc/docker/certs.d/registry.example.com:443 sudo cp ca.crt /etc/docker/certs.d/registry.example.com:443/ca.crt sudo systemctl restart docker - 4
For your own Go program, point it at the right roots with
SSL_CERT_FILE=/path/to/ca-bundle.crt, or add the CA to the system trust store and rebuild the image.
Catch these before your users do
SSLNudge detects x509: certificate signed by unknown authority and expiry issues daily and alerts you.