X509 parsing error, 'negative serial number' while pulling repository

Our server access internet through a proxy. When I try to run a pull command such as

sudo docker run -t -i ubuntu:14.04 /bin/bash

I get the below error:

  • Docker file for java project
  • Run tests inside Docker container with Jenkins
  • Prevent skip in docker-compose
  • Linux Namespaces: Is it possible for a network namespace to exist without being associated with a process?
  • Node and docker - how to handle babel or typescript build?
  • docker: npm install on docker start
  • Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse
        certificate from server: x509: negative serial number
    

    The wget command wget -S -d -O - https://get.docker.io yields the below output:

    Setting –output-document (outputdocument) to – DEBUG output created
    by Wget 1.13.4 on linux-gnu.

    URI encoding = UTF-8' URI encoding =UTF-8′
    –2014-08-27 17:13:46– https://get.docker.io/ Connecting to :… connected. Created socket 3. Releasing
    0x00000000016829f0 (new refcount 0). Deleting unused
    0x00000000016829f0.

    —request begin— CONNECT get.docker.io:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Proxy-Authorization: Basic
    Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ==

    —request end— proxy responded with: [HTTP/1.1 200 Connection established Date: Wed, 27 Aug 2014 11:49:52 GMT Age: 0 Via: 1.0
    xaahshshhds

    ] Initiating SSL handshake. Handshake successful; connected socket 3
    to SSL handle 0x00000000016831c0 certificate: subject:
    /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io
    issuer:
    /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
    ERROR: cannot verify get.docker.io’s certificate, issued by
    /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany':
    Unable to locally verify the issuer's authority. To connect to
    get.docker.io insecurely, use
    –no-check-certificate’. Closed 3/SSL
    0x00000000016831c0

    Please give me some directions on how I should go about this issue.

    EDIT:

    I ve now disabled the proxy for this IP segment but I still get the same error.
    The command: wget -S -d -O - https://get.docker.io gets the below output now:

    Setting --output-document (outputdocument) to -
    DEBUG output created by Wget 1.13.4 on linux-gnu.
    
    URI encoding = `UTF-8'
    --2014-09-04 11:26:12--  https://get.docker.io/
    Resolving get.docker.io (get.docker.io)... 162.242.195.77
    Caching get.docker.io => 162.242.195.77
    Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected.
    Created socket 3.
    Releasing 0x00000000022d8fd0 (new refcount 1).
    Initiating SSL handshake.
    Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0
    certificate:
      subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
      issuer:  /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
    X509 certificate successfully verified and matches host get.docker.io
    
    ---request begin---
    GET / HTTP/1.1
    User-Agent: Wget/1.13.4 (linux-gnu)
    Accept: */*
    Host: get.docker.io
    Connection: Keep-Alive
    
    ---request end---
    HTTP request sent, awaiting response...
    ---response begin---
    HTTP/1.1 503 Service Unavailable
    Server: nginx/1.7.1
    Date: Thu, 04 Sep 2014 06:03:28 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache
    
    ---response end---
    
      HTTP/1.1 503 Service Unavailable
      Server: nginx/1.7.1
      Date: Thu, 04 Sep 2014 06:03:28 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Cache-Control: no-cache
    Registered socket 3 for persistent reuse.
    Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1>
    No server is available to handle this request.
    </body></html>
    
    ] done.
    2014-09-04 11:26:13 ERROR 503: Service Unavailable.
    

  • docker-compose error when I run bundle
  • DigitalOcean, Docker, Dokku: Installing Firefox inside a container
  • How to detach all processes from terminal and still get stdout in Docker?
  • How to deploy mongoDB Docker image to Elastic Beanstalk?
  • push updates to gcloud containers/pods
  • How to publish/push Dockerfile?
  • One Solution collect form web for “X509 parsing error, 'negative serial number' while pulling repository”

    subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io 
    issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
    

    It looks like the proxy in your company uses SSL interception to inspect SSL traffic, which means that you get a certificate signed by the proxy CA of your company instead of the original certificate. It also looks like that this proxy CA is not trusted by your system and thus the verification fails.

    I would recommend that you contact your firewall administrator on how to deal with the problem. Either they will add an exception for the SSL inspection, or they will tell you which certificate you need to import as trusted in your system.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.