Open
Description
Contributing guidelines
- I've read the contributing guidelines and wholeheartedly agree
I've found a bug, and:
- The documentation does not mention anything about my problem
- There are no open or closed issues that are related to my problem
Description
I recently stood up Harbor to potentially replace a plain self-hosted Docker registry that was working with the docker build actions on self-hosted Gitea. Harbor's cert is using the same root CA as the working Docker registry.
I'm able to run equivalent docker buildx steps to build and push images to Harbor using the same buildkit version (v0.21).
There are a lot of moving parts here :) so I'm not sure where the problem is (including pilot error)
Expected behaviour
Login to Harbor succeeds, image builds and is pushed to registry successfully
Actual behaviour
Login to Harbor succeeds, and image builds but fails to push to registry:
ERROR: failed to solve: failed to push harbor.***.io/test/threadtest:latest: failed to authorize: failed to fetch oauth token: Post "https://harbor.***.io/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
Repository URL
private
Workflow run URL
private
YAML workflow
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
config-inline: |
debug = true
[registry."fir.love.io:3005"]
ca=["/etc/certs/ca.crt"]
[registry."harbor.love.io"]
ca=["/etc/certs/ca.crt"]
- name: Login to Harbor
uses: docker/login-action@v3
with:
registry: harbor.love.io
username: ${{ secrets.HARBOR_ROBOT }}
password: ${{ secrets.HARBOR_SECRET }}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: ./Containers/threadtest
file: ./Containers/threadtest/Dockerfile
push: true
#tags: fir.love.io:3005/threadtest:latest, fir.love.io:3005/test/threadtest:${{ github.run_number }}
tags: harbor.love.io/test/threadtest:latest, harbor.love.io/test/threadtest:${{ github.run_number }}
platforms: linux/amd64Workflow logs
GitHub Actions runtime token ACs
Docker info
Proxy configuration
Buildx version
Builder info
[command]/usr/bin/docker buildx build --file ./Containers/threadtest/Dockerfile --iidfile /tmp/docker-actions-toolkit-ONriAt/build-iidfile-2f5c20f1dc.txt --platform linux/amd64 --attest type=provenance,mode=max,builder-id=http://fir.***.io:[3](http://fir.love.io:3000/CJLove/thread-playground/actions/runs/16#jobstep-7-3)000/CJLove/thread-playground/actions/runs/12[4](http://fir.love.io:3000/CJLove/thread-playground/actions/runs/16#jobstep-7-4)/attempts/1 --tag harbor.***.io/test/threadtest:latest --tag harbor.***.io/test/threadtest:16 --metadata-file /tmp/docker-actions-toolkit-ONriAt/build-metadata-0f2d77b2a8.json --push ./Containers/threadtest
...
Dockerfile build steps elided
...
#8 exporting to image
#8 exporting layers
#8 exporting layers 3.1s done
#8 exporting manifest sha256:6cabbf5a6f392b27cca7ac6aab7fb71f83088911464607858ab9ea1b3e392296 done
#8 exporting config sha256:96e83991f20e6a1b719869ac5f8de08a16077701cfb7c5bd1e5f04b6680229bb done
#8 exporting attestation manifest sha256:60677a1c42ce0239825d4c30480f300bef14b7c93a89dbf694a4ddc4c527429a 0.0s done
#8 exporting manifest list sha256:e0c532dcd340bcce19fc20c466a81d9309b186269be78a2dbfe5bef44db6c68f 0.0s done
#8 pushing layers
#8 pushing layers 0.1s done
#8 ERROR: failed to push harbor.***.io/test/threadtest:latest: failed to authorize: failed to fetch oauth token: Post "https://harbor.***.io/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
#9 [auth] test/threadtest:pull,push token for harbor.***.io
#9 DONE 0.0s
#10 [auth] test/threadtest:pull,push token for harbor.***.io
#10 DONE 0.0s
------
> exporting to image:
------
ERROR: failed to solve: failed to push harbor.***.io/test/threadtest:latest: failed to authorize: failed to fetch oauth token: Post "https://harbor.***.io/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
Reference
Check build summary support
::error::buildx failed with: ERROR: failed to solve: failed to push harbor.***.io/test/threadtest:latest: failed to authorize: failed to fetch oauth token: Post "https://harbor.***.io/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
BuildKit logs
Additional info
Harbor logs while actions were running:
registry | 172.18.0.9 - - [24/May/2025:02:41:26 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
harbor-portal | 172.18.0.9 - - [24/May/2025:02:41:26 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"
registryctl | 172.18.0.9 - - [24/May/2025:02:41:26 +0000] "GET /api/health HTTP/1.1" 200 9
registry | 172.18.0.9 - - [24/May/2025:02:41:36 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
registryctl | 172.18.0.9 - - [24/May/2025:02:41:36 +0000] "GET /api/health HTTP/1.1" 200 9
harbor-portal | 172.18.0.9 - - [24/May/2025:02:41:36 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"
nginx | w.x.y.z - "GET /v2/ HTTP/1.1" 401 76 "-" "docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/5.15.0-117-generic os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.8-1 \x5C(linux\x5C))" 0.015 0.015 .
harbor-core | 2025-05-24T02:41:42Z [INFO] [/server/middleware/security/robot.go:71][requestID="c1e022cc-8bd6-4055-a80a-694d65efb8a0"]: a robot security context generated for request GET /service/token
nginx | w.x.y.z - "GET /service/token?account=robot%24test%2Bdev&client_id=docker&offline_token=true&service=harbor-registry HTTP/1.1" 200 899 "-" "docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/5.15.0-117-generic os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.8-1 \x5C(linux\x5C))" 0.053 0.053 .
registry | 172.18.0.9 - - [24/May/2025:02:41:42 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/5.15.0-117-generic os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.8-1 \\(linux\\))"
registry | time="2025-05-24T02:41:42.833383943Z" level=info msg="authorized request" go.version=go1.23.8 http.request.host=harbor.love.io http.request.id=53225abe-e803-41ea-83ba-30cc419ed496 http.request.method=GET http.request.remoteaddr=w.x.y.z http.request.uri="/v2/" http.request.useragent="docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/5.15.0-117-generic os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.8-1 \(linux\))"
registry | time="2025-05-24T02:41:42.833451857Z" level=info msg="response completed" go.version=go1.23.8 http.request.host=harbor.love.io http.request.id=53225abe-e803-41ea-83ba-30cc419ed496 http.request.method=GET http.request.remoteaddr=w.x.y.z http.request.uri="/v2/" http.request.useragent="docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/5.15.0-117-generic os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.8-1 \(linux\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration=5.533133ms http.response.status=200 http.response.written=2
nginx | w.x.y.z - "GET /v2/ HTTP/1.1" 200 2 "-" "docker/28.1.1 go/go1.23.8 git-commit/01f442b kernel/5.15.0-117-generic os/linux arch/amd64 UpstreamClient(Docker-Client/24.0.8-1 \x5C(linux\x5C))" 0.012 0.012 .
registry | ::1 - - [24/May/2025:02:41:46 +0000] "GET / HTTP/1.1" 200 0 "" "curl/8.12.0"
harbor-portal | 127.0.0.1 - - [24/May/2025:02:41:46 +0000] "GET / HTTP/1.1" 200 785 "-" "curl/8.12.0"
registryctl | ::1 - - [24/May/2025:02:41:46 +0000] "GET /api/health HTTP/1.1" 200 9
registry | 172.18.0.9 - - [24/May/2025:02:41:46 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
registryctl | 172.18.0.9 - - [24/May/2025:02:41:46 +0000] "GET /api/health HTTP/1.1" 200 9
harbor-portal | 172.18.0.9 - - [24/May/2025:02:41:46 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"
nginx | 127.0.0.1 - "GET / HTTP/1.1" 308 171 "-" "curl/8.12.0" 0.000 - .
registry | 172.18.0.9 - - [24/May/2025:02:41:56 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
registryctl | 172.18.0.9 - - [24/May/2025:02:41:56 +0000] "GET /api/health HTTP/1.1" 200 9
harbor-portal | 172.18.0.9 - - [24/May/2025:02:41:56 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"
nginx | w.x.y.z - "HEAD /v2/test/threadtest/blobs/sha256:79303a75102300056b24911f6c800d39067cab03270f13dee90c459e8917a3e2 HTTP/1.1" 401 0 "-" "buildkit/v0.21" 0.004 0.004 .
nginx | w.x.y.z - "HEAD /v2/test/threadtest/blobs/sha256:d268dce7430d063297a6629a5a837c397c5e62b56add81c009147fc5338fe1c0 HTTP/1.1" 401 0 "-" "buildkit/v0.21" 0.002 0.002 .
nginx | w.x.y.z - "HEAD /v2/test/threadtest/blobs/sha256:77eb107a1423e0ecd606439f44048c743531649e02c94be431cce3184fba64d6 HTTP/1.1" 401 0 "-" "buildkit/v0.21" 0.004 0.004 .
nginx | w.x.y.z - "HEAD /v2/test/threadtest/blobs/sha256:96e83991f20e6a1b719869ac5f8de08a16077701cfb7c5bd1e5f04b6680229bb HTTP/1.1" 401 0 "-" "buildkit/v0.21" 0.005 0.005 .
nginx | w.x.y.z - "HEAD /v2/test/threadtest/blobs/sha256:27377cb9a7d89affaa12c2d7e7e0dd4d49ccaa65cc8075fc8bcdceb6ff7f5e89 HTTP/1.1" 401 0 "-" "buildkit/v0.21" 0.006 0.006 .
registry | 172.18.0.9 - - [24/May/2025:02:42:06 +0000] "GET / HTTP/1.1" 200 0 "" "Go-http-client/1.1"
registryctl | 172.18.0.9 - - [24/May/2025:02:42:06 +0000] "GET /api/health HTTP/1.1" 200 9
harbor-portal | 172.18.0.9 - - [24/May/2025:02:42:06 +0000] "GET / HTTP/1.1" 200 785 "-" "Go-http-client/1.1"