To trust a self-signed certificate from a Docker Trusted Registry (DTR), you need to place the
certificate in the appropriate location on all cluster nodes and restart the Docker daemon. There are
two possible locations for the certificate, depending on your OS and Docker version1:
•/etc/docker/certs.d/dtr.example.com/ca.crt: This is the preferred location for Linux systems and
Docker versions 1.13 and higher. This directory is scanned by Docker for certificates and keys for each
registry domain2.
•Your OS certificate path: This is the fallback location for other OSes and Docker versions. You need
to find the certificate store for your OS and copy the certificate there. You also need to trust the
certificate system-wide, which may require additional steps depending on your OS3.
The other options are not correct because:
•Passing '-trust-certificate ca.crt to the Docker client is not a valid option. There is no such flag for the
Docker client4.
•Placing the certificate in ‘/etc/docker/dtr/dtr.example.com.crt’ is not a valid location. The certificate
should be in the /etc/docker/certs.d directory, not the /etc/docker/dtr directory1.
•Passing – insecure-registry to the Docker client is not a recommended option. This flag disables the
TLS verification for the registry, which makes the communication insecure and vulnerable to attacks.
Reference:
•Use self-signed certificates | Docker Docs
•Test an insecure registry | Docker Docs
•Add TLS certificates as a trusted root authority to the host OS | Docker Docs
•docker | Docker Docs
•[Deploy a registry server | Docker Docs]
