[rootless]nerdctl build fails with x509: certificate signed by unknown authority error despite insecure=true configured in buildkitd.toml #4770
Description
Description
After installing nerdctl-full-2.2.1-linux-arm64.tar.gz using rootless mode, I am trying to build an image using a private Harbor registry (myregistry.com) that uses a self‑signed SSL certificate. I configured nerdctl.toml/hosts.toml/buildkitd.toml to skip TLS verification for that registry, but the build result is an error: (x509: certificate signed by unknown authority). I have read the relevant md document, but I couldn't find the cause of the problem.
Steps to reproduce the issue
1.install containerd/fuse-overlayfs/buildkit
$ containerd-rootless-setuptool.sh install
$ containerd-rootless-setuptool.sh install-fuse-overlayfs
$ containerd-rootless-setuptool.sh install-buildkit-containerd
2.config
$ cat ~/.config/containerd/config.toml
[proxy_plugins]
[proxy_plugins."fuse-overlayfs"]
type = "snapshot"
address = "/run/user/1005/containerd-fuse-overlayfs.sock"
$ cat ~/.config/buildkit/buildkitd.toml
[worker.cni]
enabled = false
[worker.containerd]
enabled = true
rootless = true
namespace = "default"
snapshotter = "fuse-overlayfs"
[registry."myregistry.com"]
http = false
insecure = true # attention this config
$ cat ~/.config/nerdctl/nerdctl.toml
namespace = "default"
snapshotter = "fuse-overlayfs"
insecure_registry = true # attention this config
hosts_dir = ["/path/to/certs.d"]
$ cat /path/to/certs.d/myregistry.com/hosts.toml
server = "myregistry.com"
[host."myregistry.com"]
capabilities = ["pull", "resolve", "push"]
skip_verify = true # attention this config
3.restart
$ systemctl --user daemon-reload
$ systemctl --user restart containerd.service
$ systemctl --user restart buildkitd.service
4.login
$ nerdctl login myregistry.com
- build and get error
$ cat Dockerfile
FROM myregistry.com/xxx/nginx:1.23.2
RUN echo "hello"
$ nerdctl build -t test-nginx:v1 .
[+] Building 0.1s (3/3) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 112B 0.0s
=> ERROR [internal] load metadata for myregistry.com/xxx/nginx:1.23.2 0.1s
=> [auth] xxx/nginx:pull token for myregistry.com 0.0s
------
> [internal] load metadata for myregistry.com/xxx/nginx:1.23.2:
------
Dockerfile:1
------
1 | >>> FROM myregistry.com/xxx/nginx:1.23.2
2 | RUN echo "hello"
3 |
------
error: failed to solve: failed to fetch oauth token: Post "https://myregistry.com/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
Describe the results you received and expected
Actual behavior:
Without pulling the nerdctl pull myregistry.com/xxx/nginx:1.23.2 in advance, run nerdctl build -t test-nginx:v1 . with a simple Dockerfile, result is x509: certificate signed by unknown authority
Expected behavior:
Build should succeed, using the configured skip_verify = true / insecure_registry = true / insecure = true settings for the registry, just as nerdctl pull does.
Additional observations:
If first run nerdctl pull myregistry.com/xxx/nginx:1.23.2, so the image has been downloaded locally, then execute nerdctl build -t test-nginx:v1 . again, it is successful.
What version of nerdctl are you using?
$ nerdctl version
client:
version: v2.2.1
os: linux/arm64
buildctl:
version: v0.26.3
server:
containerd:
version: v2.2.1
runc:
version: 1.0.0-rc3
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
Others
Host information
kerner version is 4.19.90-89.23.v2401.ky10.aarch64