Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to configure docker daemon with pipelines to trust a private certificate authority

matessier
matessier March 26, 2018

Hi, 

I'm using bitbucket pipelines and try to configure a step to authenticate to my private registry deployed with a self-signed certificate.

but the following command returns : "x509: certificate signed by unknown authority"

docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD registry.my-company.com

On a linux-based normal build environnement, I normally use the method described there to specify my certificate authority : Docker registry - use self signed certificates which is :

  1. cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt update-ca-certificates
  2. Restart Docker daemon for the changes to take effect.

But with bitbucket pipelines I did not find the way to interact with docker daemon to tell him to use my certificate authority as it is started in a separate instance.

How to tell docker daemon to trust my certificate ? 

Here is my basic bitbucket-pipelines configuration file : 

image: atlassian/default-image:1
pipelines:
  default:
    - step:
        services:
           - docker
        script:
           - docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD registry.my-company.com

 Thank you for your kind help :)

Answer
Watch
Like Stepan-Mozyra likes this
3475 views

6 answers

2 votes
Stepan-Mozyra
Stepan-Mozyra
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 12, 2018

Hi Marc-Antoine,

have you found any workaround for that? Did you solve this issue somehow?

Reply
2 votes
Philip Hodder
Philip Hodder
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2018

Hi,

Pipelines provides no mechanism for restarting the Docker daemon. You're going to need to figure out a workaround that doesn't need to do this. Which the Docker documentation suggests there aren't any.

I'd suggest opening a ticket here to track being able to interact with the Docker daemon: https://bitbucket.org/site/master/issues/new

Unfortunately I can't think of any more specific guidance here.

Thanks,

Phil

View More Comments
matessier
matessier April 13, 2018

Hi Phil,

Thank you for taking the time to answer! 

You confirmed my thought about the docker daemon.

Knowing that, as a workaround I am thinking to redeploy a docker repository proxy with a Lets-encrypt certificate following this kind of procedure.

Like that I just need to change my repository proxy, not the repository itself that stay private.

I will let you know if it works.

Thanks.

Like
Koushik_Maiti
Koushik_Maiti
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 26, 2020

Hello, 

 

I am also getting same error "x509: certificate signed by unknown authority" when I am trying to connect my harbor registry from bitbucket pile line script. 

Please let me know is there any way to resolve this issue ?

 

script:
           - docker login --username $HARBOR_USERNAME --password $HARBOR_PASSWORD registry.my-company.com

 

Thanks,

Koushik

Like
Reply
0 votes
Dustin
Dustin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 18, 2022

I found a solution and thought it might be helpful for someone else who runs across this thread. You can add a CA to java inside the runner using this command:

/opt/java/openjdk/bin/keytool -import -trustcacerts -cacerts -file <ca_cert> -alias <name> -noprompt -storepass changeit

I share the /etc/ssl folder and have my ca placed inside that folder so the keytool can see the certificate.
Reply
0 votes
l_walkowiak
l_walkowiak
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 19, 2022

You can config insecure registry option in docker daemon. https://support.atlassian.com.rproxy.goskope.com/bitbucket-cloud/docs/pipelines-runners-frequently-asked-questions/

Reply
0 votes
Martin Cassidy
Martin Cassidy
Contributor
May 17, 2021

If you are using a self hosted runner (currently in beta) you can resolve this simply by installing the required certificates on the host on which your runner runs.

Reply
0 votes
Sandeep Sarpe
Sandeep Sarpe May 26, 2020

Hi,

 I am also facing the same error "error "x509: certificate signed by unknown authority" with docker login in bitbucket pipeline 

Did anyone find any workaround?

View More Comments
Samuel Lester
Samuel Lester
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 22, 2021

it's 2021 and still no solution? Did atlassian let this one slip through the cracks? It seems like a feature a lot of people would want.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.