Seeing Error "x509: certificate signed by unknown authority" when Scanning Registry Image in Prisma Cloud

Seeing Error "x509: certificate signed by unknown authority" when Scanning Registry Image in Prisma Cloud

13434
Created On 04/25/22 09:28 AM - Last Modified 03/02/23 02:43 AM


Symptom


  • Following error seen when scanning a Registry Image:
Failed to pull image xxxxxxxreg/xxxxxxx:v1.0.0, error Error initializing source docker://registry.xxxxx/xxxxx/xxxxxxx:v1.0.0: error pinging docker registry registry.xxxxx: Get "https://urldefense.com/v3/__https://registry.xxxxx/v2/__;!!Gt_FR42WkD9csi9Y!NYhH91g2nYoQOfa3jNTZVtUdvAwu-vt30mQ2XXiY-cvy0sjkmol_xx8S-U0uKSRnm_zIxg$ ": x509: certificate signed by unknown authority

Environment


  • Prisma Cloud Compute Enterprise Edition
  • Prisma Cloud Compute Self Hosted 
  • Containerd Runtime
  • CRI-O
Note : /etc/containerd/certs.d/ has been added in version Kepler to the default trusted certificate stores that the Defender can get the certificates for Registry scan connections. It is however necessary to mount these locations to the pod/container when using container defender.

Cause


  • The Certificate Path has not been discovered by Prisma Cloud Compute.
  • When using Containerd Runtime, the default path for registry certificate is /etc/containerd. 
  • Prisma Cloud Compute has yet not been able to discover registry certificate under /etc/containerd.
  • Until 22.01.xxx Prisma Cloud Compute only supports /etc/containers/certs.d/$REGISTRY_NAME/ or /etc/docker/certs.d/$REGISTRY_NAME/

Resolution


  • Create a directory on the Defender node as shown below :
/etc/containers/certs.d/$REGISTRY_NAME/ or /etc/docker/certs.d/$REGISTRY_NAME/
  • Note: from Kepler(22.06+), one more folder is supported:
/etc/containerd/certs.d/$REGISTRY_NAME/
  • Put the certificate inside the $REGISTRY_NAME folder. 
  • The certificate name doesn't matter, as long as the certificate is present in the registry folder.
  • For container defender, modify the daemon set yaml file of the container to mount the folder. Here's the example:
    • Command: 
      kubectl edit ds -n twistlock twistlock-defender-ds
    • Under “volumeMounts:” add: 
                 - name: registry-scan
             mountPath: /etc/docker/certs.d
           - name: registry-scan2
             mountPath: /etc/containers/certs.d
           - name: registry-scan3
             mountPath: /etc/containerd/certs.d
    • Under “volumes:” add: 
             - name: registry-scan
         hostPath:
           path: /etc/docker/certs.d
           type: ''
       - name: registry-scan2
         hostPath:
           path: /etc/containers/certs.d
           type: ''
       - name: registry-scan3
         hostPath:
           path: /etc/containerd/certs.d
           type: ''

NOTE : As of now, the above steps are the only applicable solution available for this issue.

Additional Information


Configuring Registry Scan
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNgjCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language