X509: certificate signed by unknown authority docker login

Good afternoon people,
I have a 13.7.1 gitlab server with the registry configured, I was using let´s encrypt for the ssl certificate (working normally), I ended up buying a wildcard for my domain, after updating to the new certificate I try to access via docker login and I get the following error:
Error response from daemon: Get https://gitregistry.com.br:8000/v2/: x509: certificate signed by unknown authorit
Access to projects via the web page is normally accessed with a wildcard.
Could you help me?

Hi, quick question. Did you combine the CA and intermediary certificates with the wildcard cert? Usually it would be combined (similar to fullchain in letsencrypt). The order would be when copied/pasted to one file as:


in one single .crt file.

In my gitlab.rb it looks like this:

external_url ‘https://gitregistry.com.br
nginx [‘redirect_http_to_https’] = true
nginx [‘ssl_certificate’] = “/etc/ssl/certs/wildcard.com.br.cert”
nginx [‘ssl_certificate_key’] = “/etc/ssl/private/wildcard.com.br.key”

registry [‘enable’] = true
registry_external_url ‘https://gitregistry.com.br:8000
registry_nginx [‘ssl_certificate’] = “/etc/ssl/certs/wildcard.com.br.cert”
registry_nginx [‘ssl_certificate_key’] = “/etc/ssl/private/wildcard.com.br.key”

Do you any idea?

When you purchased wildcard certificate, you have the wildcard.crt but you must combine the CA certificate and the intermediate certificate in one file. Eg:

cat wildcard.com.br.cert ca.cert intermediate.cert > wildcard.com.br.crt

then in gitlab.rb replace wildcard.com.br.cert with wildcard.com.br.crt because this must be the full chain. If you are still unsure, please go to the site where you purchased the certificate and follow their instructions on how to configure certificate chains.

You probably only added the wildcard certificate without the chain, and this is why you get errors for unknown authority, because of missing CA and intermediate certificate.

I run this, cat wildcard.com.br.cert intermediate-chain-icpedu.pem > wildcard.com.br.crt
But I still have the same problem

Hello Iwalker, thank you very much for your help, I revolved by going to SSL certificates chain resolver - Get your certificate chain right | LeaderSSL I pasted my certificate and it generated the .crt I added on the server and it worked normally.

1 Like