If you get this message when you are using Docker on Synology Diskstation and try to download an image from the Docker Registry, then you might find this solution useful.
At first, not knowing why it fails, I went to try downloading the image via ssh console. I’ve enabled SSH access, ssh’d into the nas, then ran:
sudo docker login
sudo docker pull jacobalberty/unifi:latestEven with --disable-content-trust param, it would give the following message:
sudo docker pull jacobalberty/unifi:latest latest: Pulling from jacobalberty/unifi
17d0386c2fff: Pulling fs layer
..
4f4fb700ef54: Waiting
error pulling image configuration: Get "https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/7a/7aelb8..": x509: certificate has expired or is not yet valid: current time 2024-04-17720:13:33+03:00 is after 2021-09-30114:01:152So now we know a reason on why the download might also fail from the DSM interface.
But who’s certificate is bad here ?
Checking ls /etc/ssl/certs/-lath shows all certificate files have a file date of 2019’s.
Checking openssl x509~in /etc/ssl/certs/ca-certificates.crt-text-noout shows validity until 2030.. but is this check enough ?
Checking:
wget -S -d -0 - https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/7a/7a1b8488662d37df96bfdf416455fb827498140769c77
Lao4D51ocutoldc/aata.vertty=1/15505110-0tvsuu<su4SwnYLJWrLAKHLAPVL/05U
Debugging support not compiled in. Ignoring
-- debug flag.
-2024-04-17 22:30:35--
https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/7a/7ae1b8488662d37df96bfdf416455fb827498140769f772d84b5180f
81bc2/data?verify=1713385118-0tV30u2s04swnY1JwriARHlApvI%3D
Resolving production.cloudflare.docker. com... 104.16.101.215, 104.16.99.215, 104.16.97.215, ...
Connecting to production.cloudflare.docker.com/104.16.101.2151:443...
connected.
ERROR: cannot verify production.cloudflare.docker.com's certificate, issued by 'CN=E1,0=Let\'s Encrypt,C=US':
Issued certificate has expired.
To connect to production.cloudflare.docker.com insecurely, use
'--no-check-certificate'.makes it seem that Cloudflare certificate is at fault. But even if the above checks would hint that, the issue is still on our side as I’ve found it working after the next steps.
The rest of the solution was hinted by this Synology forum post: https://community.synology.com/enu/forum/1/post/136429
Solution Steps to update CA certificates bundle on Synology to be able to pull docker images from docker hub
1. Download latest certificate bundle from https://curl.se/docs/caextract.html
Let’s say it will be cacert-2024-03-11.pem
2. Using Files in the web UI of diskstation, upload the downloaded file to a folder on the NAS
3. Enable SSH / open ssh session
4. copy the file to from /volume1/yourfolder/ to /etc/ssl/certs/
5. run these commands:
cat /etc.defaults/ssl/certs/ca-certificates.crt /etc/ssl/certs/cacert-2024-03-11.pem > /volume1/yourfolder/new.crt
sudo cp /volume1/yourfolder/new.crt /etc/ssl/certs/ca-certificates.crt
sudo ln -s /etc/ssl/certs/cacert-2024-03-11.pem /etc/ssl/certs/`openssl x509 -hash -noout -in /etc/ssl/certs/cacert-2024-03-11.pem`.1
ll /etc/ssl/certs/.1
lrwxrwxrwx 1 root root 36 Apr 17 23:08 /etc/ssl/certs/.1 -> /etc/ssl/certs/cacert-2024-03-11.pem6. Restart Diskstation
7. You can now use either Docker Registry to download images or ssh docker pull
Thank you, you saved me.
The real solution!
I am still using my xpenology of dsm 6.2.1. I encountered the same problem (certificate) yesterday when I wanted to update the docker image.
After searching for a long time, I suddenly realized that I just need to export the image on 7.2.1 and then import it to my old 6.2.1. And because of my obsessive-compulsive disorder, I also pulled it again and the introduction was displayed perfectly