X509 parsing error, 'negative serial number' while pulling repository

Our server access internet through a proxy. When I try to run a pull command such as

sudo docker run -t -i ubuntu:14.04 /bin/bash

I get the below error:

  • Docker LAMP Stack
  • CoreOS + Docker - Assign Containers a pool of routable IP's
  • How to write an Ansible playbook with Docker-compose
  • Bash / Docker exec: file redirection from inside a container
  • Running Wildfly Swarm with KeyCloak on docker image
  • Installing elasticsearch docker image fails on command not found
  • Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse
        certificate from server: x509: negative serial number
    

    The wget command wget -S -d -O - https://get.docker.io yields the below output:

    Setting –output-document (outputdocument) to – DEBUG output created
    by Wget 1.13.4 on linux-gnu.

    URI encoding = UTF-8' URI encoding =UTF-8′
    –2014-08-27 17:13:46– https://get.docker.io/ Connecting to :… connected. Created socket 3. Releasing
    0x00000000016829f0 (new refcount 0). Deleting unused
    0x00000000016829f0.

    —request begin— CONNECT get.docker.io:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Proxy-Authorization: Basic
    Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ==

    —request end— proxy responded with: [HTTP/1.1 200 Connection established Date: Wed, 27 Aug 2014 11:49:52 GMT Age: 0 Via: 1.0
    xaahshshhds

    ] Initiating SSL handshake. Handshake successful; connected socket 3
    to SSL handle 0x00000000016831c0 certificate: subject:
    /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io
    issuer:
    /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
    ERROR: cannot verify get.docker.io’s certificate, issued by
    /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany':
    Unable to locally verify the issuer's authority. To connect to
    get.docker.io insecurely, use
    –no-check-certificate’. Closed 3/SSL
    0x00000000016831c0

    Please give me some directions on how I should go about this issue.

    EDIT:

    I ve now disabled the proxy for this IP segment but I still get the same error.
    The command: wget -S -d -O - https://get.docker.io gets the below output now:

    Setting --output-document (outputdocument) to -
    DEBUG output created by Wget 1.13.4 on linux-gnu.
    
    URI encoding = `UTF-8'
    --2014-09-04 11:26:12--  https://get.docker.io/
    Resolving get.docker.io (get.docker.io)... 162.242.195.77
    Caching get.docker.io => 162.242.195.77
    Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected.
    Created socket 3.
    Releasing 0x00000000022d8fd0 (new refcount 1).
    Initiating SSL handshake.
    Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0
    certificate:
      subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
      issuer:  /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
    X509 certificate successfully verified and matches host get.docker.io
    
    ---request begin---
    GET / HTTP/1.1
    User-Agent: Wget/1.13.4 (linux-gnu)
    Accept: */*
    Host: get.docker.io
    Connection: Keep-Alive
    
    ---request end---
    HTTP request sent, awaiting response...
    ---response begin---
    HTTP/1.1 503 Service Unavailable
    Server: nginx/1.7.1
    Date: Thu, 04 Sep 2014 06:03:28 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: no-cache
    
    ---response end---
    
      HTTP/1.1 503 Service Unavailable
      Server: nginx/1.7.1
      Date: Thu, 04 Sep 2014 06:03:28 GMT
      Content-Type: text/html
      Transfer-Encoding: chunked
      Connection: keep-alive
      Cache-Control: no-cache
    Registered socket 3 for persistent reuse.
    Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1>
    No server is available to handle this request.
    </body></html>
    
    ] done.
    2014-09-04 11:26:13 ERROR 503: Service Unavailable.
    

  • architechtetural thoughts about dockerizing the exsting services
  • security-opt with docker-api gem
  • Automatic provisioning of Open stack VM for Docker containers
  • Issue with docker compose
  • Exposing ports to all containers, not only the host
  • How can I let the gitlab-ci-runner DinD image cache intermediate images?
  • One Solution collect form web for “X509 parsing error, 'negative serial number' while pulling repository”

    subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io 
    issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany
    

    It looks like the proxy in your company uses SSL interception to inspect SSL traffic, which means that you get a certificate signed by the proxy CA of your company instead of the original certificate. It also looks like that this proxy CA is not trusted by your system and thus the verification fails.

    I would recommend that you contact your firewall administrator on how to deal with the problem. Either they will add an exception for the SSL inspection, or they will tell you which certificate you need to import as trusted in your system.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.