Convox Community

Certificate problem during build

I just did a clean install of my local rack, and I’m getting this error during a build:

Packaging source... OK
Uploading source... OK
Starting build... OK
Authenticating registry.convox/server-test: Error response from daemon: Get https://registry.convox/v2/: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca.convox")

(Mac, Docker Desktop edge 2.1.0.0, CLI and rack 20190717145705)

What’s weird is that curl seems to accept the certificate:

curl -vv https://registry.convox/v2/

*   Trying 0.0.0.0...
* TCP_NODELAY set
* Connected to registry.convox (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=convox; CN=registry.convox
*  start date: Jul 30 23:16:57 2019 GMT
*  expire date: Jul 29 23:16:57 2020 GMT
*  subjectAltName: host "registry.convox" matched cert's "registry.convox"
*  issuer: O=convox; CN=ca.convox
*  SSL certificate verify ok.
> GET /v2/ HTTP/1.1
> Host: registry.convox
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Length: 2
< Content-Type: application/json; charset=utf-8
< Date: Tue, 30 Jul 2019 23:23:53 GMT
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< 
* Connection #0 to host registry.convox left intact

I’m not quite sure how this cert authority is handled locally. Do I need to add it to the Keychain?

It’s working today. Must have been a fluke. /shrug