docker,

Docker and 'x509: certificate has expired or is not yet valid' error

Jul 21, 2022 · 2 mins read · 33 views · Post a comment

It’s been a while since I’ve encountered any issues and errors related to Docker. It has to do with one of two things. Docker became more stable, or I’m not spending time on it as I was before. Either way, here’s the error I’ve faced this week when I was trying to pull any image from the official Docker repository:

docker: Error response from daemon: Get "https://registry-1.docker.io/v2/":
x509: certificate has expired or is not yet valid: current time 2022-07-14T10:26:26Z is after 2015-12-06T00:00:00Z.

Prerequisites

  • Docker
  • sudo privileges

Solution(s)

It might sound strange, but don’t bother with any certificates yet. At first, try the following solutions:

Solution 1.

Restart the Docker service.

sudo systemctl restart docker

Solution 2.

Update Docker Engine version.

Solution 3.

Reboot the instance.

Solution 4.

Flush the DNS cache.

Solution 5.

This one worked for me tho. It was the damn HTTP/S proxies. If your machine is sitting behind a proxy, try to disable it. In my case, I had to temp remove the http-proxy.conf file from /etc/systemd/system/docker.service.d/ dir.
Example http-proxy.conf file:

[Service]
Environment="HTTP_PROXY=http://<IP>:<PORT>/"
Environment="HTTPS_PROXY=http://<IP>:<PORT>/"

Note(s): Make sure the HTTPS_PROXY starts with http:// too!

Solution 6.

Step 1. Reset the list of trusted CA certificates.

  • RHEL/CentOS steps listed here.
  • Ubuntu: sudo update-ca-certificates -f

Step 2. sudo systemctl restart docker

Bad practice solutions

A few lists of bad practices.

time and date

Don’t update the time and date of the host machine to match the certificate. But, if you are running Docker on a VM, ensure your VM’s system time and date match with your host respectively.

insecure-registries

Don’t try to include:

{
  "insecure-registries" : [ "0.0.0.0/0" ]
}

as part of the /etc/docker/daemon.json file. It allows unencrypted communication thus introduces security risks. In addition, it won’t fix your error since it’s related to a Docker host cert rather than a registry cert.

Conclusion

Tried everything and nothing works? Let me know in the comment section below. On a side note, follow our official channel on Telegram.