使用的旧版centos7系统

导致使用let's Encrypt证书的网站无法访问，比如docker使用了cf的dns，会连接cf的registry。

ab012f07497a: Waiting 
e0979c892644: Waiting 
error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/6a/6aedcda31f51881fd13e67674d84cd6661e278547dc7b23602672fb5a1f76ee4/data?expires=1744254640&signature=S%2BTo9ZcvNHuuweoW7qCirv%2Fe9Uo%3D&version=2: x509: certificate signed by unknown authority

[root@13 ~]# curl -v https://xxx
* About to connect() to xxx port 443 (#0)
*   Trying xxx...
* Connected to xxx (xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=xxx
* 	start date: Apr 08 18:01:56 2025 GMT
* 	expire date: Jul 07 18:01:55 2025 GMT
* 	common name: xxx
* 	issuer: CN=R11,O=Let's Encrypt,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

研究发现是系统信任的根证书过期导致

需要更新ca-certificates程序包,更新ca-certificates程序包后会自动更新系统信任的根证书

查看已安装的版本

1.debian/ubuntu
# 查看已安装版本
dpkg -l ca-certificates | grep ^ii

# 或直接提取版本号
dpkg-query -W -f='${Version}' ca-certificates

2.centos/RHEL
# 查看已安装版本
rpm -q ca-certificates

# 或结合 yum 查看信息
yum info ca-certificates | grep -E "Name|Version" 

[root@13 ~]# yum info ca-certificates
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Determining fastest mirrors
 * elrepo-kernel: mirror.fcix.net
 * epel: irltoolkit.mm.fcix.net
Installed Packages
Name        : ca-certificates
Arch        : noarch
Version     : 2015.2.6
Release     : 73.el7
Size        : 1.1 M
Repo        : installed
From repo   : anaconda
Summary     : The Mozilla CA root certificate bundle
URL         : http://www.mozilla.org/
License     : Public Domain
Description : This package contains the set of CA certificates chosen by the
            : Mozilla Foundation for use with the Internet PKI.

Available Packages
Name        : ca-certificates
Arch        : noarch
Version     : 2022.2.54
Release     : 74.el7_9
Size        : 911 k
Repo        : updates/7/x86_64
Summary     : The Mozilla CA root certificate bundle
URL         : http://www.mozilla.org/
License     : Public Domain
Description : This package contains the set of CA certificates chosen by the
            : Mozilla Foundation for use with the Internet PKI.

发现已安装的是2015年的版本了

更新ca-certificates

# Debian/Ubuntu
sudo apt update && sudo apt install --reinstall ca-certificates

# CentOS/RHEL
sudo yum update ca-certificates

# Fedora
sudo dnf update ca-certificates

# Alpine Linux
sudo apk update && sudo apk add ca-certificates

更新完成后应该就可以使用了，若不行可尝试执行手动更新

update-ca-trust
update-ca-trust force-enable
update-ca-trust extract

docker需要重启才能生效


参考：

CentOS 7 更新根证书（root certificates）

"docker pull" certificate signed by unknown authority