Coder logo

Image registry

When configuring Coder to use a local image registry in an air-gapped network, you may encounter an error similar to the following:

An error occurred while submitting

unable to ping registry for 'new transport: Get "https://registry-url.org": x509:
certificate signed by unknown authority

Why this happens

The local registry you are configuring is expecting a valid certificate to authenticate the connection with Coder. You will receive this error if:

  • You do not have a certificate configured
  • There is an issue with the certificate itself

Coder uses Docker's Registry 2.0 implementation, which supports self-signed certificates and assumes that the protocol you're using will be HTTPS.

Troubleshooting steps

  • If you haven't created the local registry, and you haven't generated the self-signed certificate, please see our documentation on setting these up.

  • Check to see if your registry.crt file is stored in the correct location on each of your Kubernetes nodes. Depending upon your Linux distribution and container runtime, it may be in any of the following locations:

    /usr/local/share/ca-certificates/registry.crt
    /etc/docker/certs.d/${REGISTRY_DOMAIN_NAME}/ca.crt
    /etc/ssl/certs/registry.crt
    /etc/pki/tls/registry.crt
    
  • If your cluster uses containerd, ensure the following patch has been applied to the /etc/containerd/config.toml file:

    [plugins."io.containerd.grpc.v1.cri".registry.configs."$REGISTRY_DOMAIN_NAME".tls]
      insecure_skip_verify = true
    

Ensure that you've created the self-signed certificate secret in your Kubernetes cluster:

kubectl -n coder get secret local-registry-cert -o yaml

If none of these steps resolve the issue, please contact us for further support.