Docker unable to pull images

dockernetworking

On running the docker command, I get following error:

docker run hello-world

Pulling repository docker.io/library/hello-world
docker: Network timed out while trying to connect to https://index.docker.io/v1/repositories/library/hello-world/images. You may want to check your internet connection or if you are behind a proxy..

I am getting following CURL output:

 curl -v https://index.docker.io
* Rebuilt URL to: https://index.docker.io/
* Hostname was NOT found in DNS cache
*   Trying 54.152.78.181...
* Connected to index.docker.io (54.152.78.181) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):


* Unknown SSL protocol error in connection to index.docker.io:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to index.docker.io:443

So how will i pull my machines now?

Now getting following message:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
03f4658f8b78: Downloading
a3ed95caeb02: Downloading
docker: x509: certificate signed by unknown authority.

Update(obfuscated keys):

running following command gives output:

~$ openssl s_client -connect index.docker.io:443
CONNECTED(00000003)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIDAyF3MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEUMBIGA1UEAwwLKi5kb2NrZXIuaW8wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRyme75dbw9AxWZ8QFCwMWrrYY
SclZ6HCiEbxSNxHgg08rEfEYi46VrL+joBwlA0t5WIIxHF198NzzdXC4YeGzruY9
7osv5lPrcdeIi+Ad+fY6K0rBBOB3xdqSPPObrINZpDmWhCQjlsnM6a1Th0oSUCjI
345b84/8PH363YO+Qmnl8BWnaTcZoPzeywM9czQsMyF2bOH+dhxja/zim6iu8W34
yBhVQeQRd1QROuHcsQAX19DKTn6TXaAwIBY3xM1Bi5Zl6tueII4dOEoibw/ImR3c
H73Pk7j1Wx+rAXeeq7LwjkUCCSlKNrHFEQ2nbr0R7FH6cck1ppgM8ud1pHr9AgMB
AAGjggFOMIIBSjAfBgNVHSMEGDAWgBTDnPP800YINLvORn+gfFvz4gjLWTBXBggr
BgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ndi5zeW1jZC5jb20wJgYI
KwYBBQUHMAKGGmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3J0MA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIQYDVR0RBBowGIIL
Ki5kb2NrZXIuaW+CCWRvY2tlci5pbzArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8v
Z3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMBAf8EAjAAMEEGA1UdIAQ6MDgwNgYG
Z4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s
ZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEATYgwOYz/w9Qyh/YPZQDZ0BdwhkX6OCX0
Mz8pP/OO+E+1RM7ZoAGwHvIaidFqh3WeCLHjGO2IId7Ff5EZUwZhiwog0R7Y838x
OCLza/2shuvjM/FPiyXDQ6q0w4rvpwsNjmYVDdYD8bCH3b8IlO2ysjgdhRYprsdU
jg6h+zK11/tXf6S5vegrgV0F62DYx0tuTTZq/HMuXvbgY2uL1sQ5jiHlzQndV9oL
YMYqJP5MkuAKzDL5u0b8mD/EHtoPkfWOIsA5i9YrAAoWRVOJHwfFfgSY+EpXpFc4
AZUPmdZGh6q1YNavRoOL/1D5aP/VBBtofj54uMbKOK8q6vxIXSyzaw==
-----END CERTIFICATE-----
subject=/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2914 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 111E09F815E121C7EA7E7FD0C07C4AC31FFDE4E13AD9BA926AFF03A2E267130C
    Session-ID-ctx:
    Master-Key: 78A4ABC11BFCCA245F4B3FE8BDA0C0BC3A10D3E9BB447838B06D8BB16DA1553DBBCBFE03408AF34FB7D0CA5E3E7E8D40
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 57 92 4f 5c a0 41 ab d9-62 2c b1 05 66 b5 bc 79   W.O\.A..b,..f..y
    0010 - c8 32 a1 b0 f3 df 3d e7-c8 8d 0b 62 b2 6f 2b 99   .2....=....b.o+.
    0020 - 80 e1 60 73 19 67 bd c5-bf 4c 61 26 ca 3c 4d bd   ..`s.g...La&.i...
    0090 - ea ca 71 3e 9a 64 e8 23-dc f6 77 b4 6a 59 ac cd   ..q>.d.#..w.jY..
    Start Time: 1456385623
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

I tried following commands but in vain:

sudo update-ca-certificates
sudo service docker restart

Also following command results:

# update-ca-certificates

Updating certificates in /etc/ssl/certs... unable to load certificate
140587866932896:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140365960205984:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
WARNING: Skipping duplicate certificate cacerthaxx.pem
WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
4 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
root@Data-Server:~# update-ca-certificates -f
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... unable to load certificate
140706921281184:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
unable to load certificate
139841225197216:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
WARNING: Skipping duplicate certificate cacerthaxx.pem
WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate UbuntuOne-Go_Daddy_Class_2_CA.pem
177 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

related : https://github.com/docker/docker/issues/10150

Best Answer

  • Could be just a flaky connection. Both https://index.docker.io/v1/repositories/library/hello-world/images and https://index.docker.io works for me.

    $  curl -v https://index.docker.io
    * Rebuilt URL to: https://index.docker.io/
    *   Trying 54.152.78.181...
    * Connected to index.docker.io (54.152.78.181) port 443 (#0)
    * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    * Server certificate: *.docker.io
    * Server certificate: RapidSSL SHA256 CA - G3
    * Server certificate: GeoTrust Global CA
    > GET / HTTP/1.1
    > Host: index.docker.io
    > User-Agent: curl/7.43.0
    > Accept: */*
    > 
    < HTTP/1.1 301 MOVED PERMANENTLY
    < Server: nginx/1.6.2
    < Date: Thu, 25 Feb 2016 07:17:55 GMT
    < Content-Type: text/html; charset=utf-8
    < Transfer-Encoding: chunked
    < X-Frame-Options: SAMEORIGIN
    < Location: https://registry.hub.docker.com/
    < Strict-Transport-Security: max-age=31536000
    < 
    * Connection #0 to host index.docker.io left intact
    

    You can try checking your SSL connection

    $ openssl s_client -connect index.docker.io:443

  • Related Question