故障现象:公司测试环境一台CentOS 7.3 服务器拉取开源镜像 rancher/gitjob:v0.1.15 失败,但是同一网络下的 CentOS 7.6 拉取镜像就可以。

完整错误日志

error pulling image configuration: x509: certificate has expired or is not yet valid_证书过期

解决流程

1,百度了一圈都是99%文档说是时间不同步,确认时间是OK后也拉取失败;

2,排除网络差异,最大的区别就是系统问题

3,google 关键词 “error pulling image configuration:  x509: certificate has expired or is not yet valid”

https://github.com/moby/moby/issues/4507 回帖中找到答案,原因是本地证书过期。

openssl查看本地证书 2019年就过期了

error pulling image configuration: x509: certificate has expired or is not yet valid_证书过期_02


完整解决命令

cd /etc/pki/tls/certs/ 
cp ca-bundle.crt{,.orig} 
wget https://curl.se/ca/cacert.pem --no-check-certificate -O ca-bundle.crt

重启docker,重新拉取镜像成功

error pulling image configuration: x509: certificate has expired or is not yet valid_bundle_03

当前证书有效期:2028年

error pulling image configuration: x509: certificate has expired or is not yet valid_CentOS_04