Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Docker Exam DCA Topic 5 Question 98 Discussion

Actual exam question for Docker's DCA exam
Question #: 98
Topic #: 5
[All DCA Questions]

You are pulling images from a Docker Trusted Registry installation

configured to use self-signed certificates, and this error appears:

`x509: certificate signed by unknown authority.

You already downloaded the Docker Trusted Registry certificate authority

certificate from https://dtr.example.com/ca.

How do you trust it? (Select two.)

Show Suggested Answer Hide Answer
Suggested Answer: C, E

To trust a self-signed certificate from a Docker Trusted Registry (DTR), you need to place the certificate in the appropriate location on all cluster nodes and restart the Docker daemon. There are two possible locations for the certificate, depending on your OS and Docker version1:

* /etc/docker/certs.d/dtr.example.com/ca.crt: This is the preferred location for Linux systems and Docker versions 1.13 and higher. This directory is scanned by Docker for certificates and keys for each registry domain2.

* Your OS certificate path: This is the fallback location for other OSes and Docker versions. You need to find the certificate store for your OS and copy the certificate there. You also need to trust the certificate system-wide, which may require additional steps depending on your OS3.

The other options are not correct because:

* Passing '-trust-certificate ca.crt to the Docker client is not a valid option. There is no such flag for the Docker client4.

* Placing the certificate in '/etc/docker/dtr/dtr.example.com.crt' is not a valid location. The certificate should be in the /etc/docker/certs.d directory, not the /etc/docker/dtr directory1.

* Passing -- insecure-registry to the Docker client is not a recommended option. This flag disables the TLS verification for the registry, which makes the communication insecure and vulnerable to attacks.


* Use self-signed certificates | Docker Docs

* Test an insecure registry | Docker Docs

* Add TLS certificates as a trusted root authority to the host OS | Docker Docs

* docker | Docker Docs

* [Deploy a registry server | Docker Docs]

Contribute your Thoughts:

Lizbeth
2 months ago
Haha, I remember struggling with this one. C and E are definitely the way to go. Ain't no self-signed certificate gonna stop me!
upvoted 0 times
Georgene
1 months ago
Yeah, those two options worked like a charm for me too!
upvoted 0 times
...
Doyle
1 months ago
E) Place the certificate in your OS certificate path, trust the certificate system-wide, and restart the Docker daemon across all cluster nodes.
upvoted 0 times
...
Roosevelt
1 months ago
C) Place the certificate in /etc/docker/certs.d/dtr.example.com/ca.crt' on all cluster nodes.
upvoted 0 times
...
...
Moon
2 months ago
I'm not sure. Should we also pass '-trust-certificate ca.crt to the Docker client' as an additional step?
upvoted 0 times
...
Brinda
2 months ago
I agree with Glenn. That seems like the correct way to trust the certificate.
upvoted 0 times
...
Xuan
2 months ago
Hmm, I'm leaning towards C and E as well. Seems like the easiest way to trust that pesky certificate.
upvoted 0 times
...
Frank
2 months ago
Ah, this is a tricky one! I think the answer is C and E. Adding the certificate to the Docker certs directory and trusting it system-wide should do the trick.
upvoted 0 times
Octavio
1 months ago
That should resolve the 'x509: certificate signed by unknown authority' error.
upvoted 0 times
...
Hildegarde
1 months ago
Make sure to restart the Docker daemon across all cluster nodes after adding the certificate.
upvoted 0 times
...
Howard
2 months ago
Trusting the certificate system-wide by placing it in your OS certificate path is also important.
upvoted 0 times
...
Sheron
2 months ago
I agree, placing the certificate in '/etc/docker/certs.d/dtr.example.com/ca.crt' on all cluster nodes is necessary.
upvoted 0 times
...
...
Yolande
3 months ago
B) Restarting the daemon on all nodes? No way, that's way too much effort for a self-signed certificate.
upvoted 0 times
...
Nada
3 months ago
D) 'Insecure-registry'? Really? That's like putting a 'Do Not Enter' sign on your front door.
upvoted 0 times
Glennis
1 months ago
D) 'Insecure-registry'? Really? That's like putting a 'Do Not Enter' sign on your front door.
upvoted 0 times
...
Nida
2 months ago
C) Place the certificate in /etc/docker/certs.d/dtr.example.com/ca.crt' on all cluster nodes.
upvoted 0 times
...
Bette
2 months ago
A) Pass '-trust-certificate ca.crt to the Docker client.
upvoted 0 times
...
...
Glenn
3 months ago
I think we should place the certificate in '/etc/docker/dtr/dtr.example.com.crt' and restart the Docker daemon on all cluster nodes.
upvoted 0 times
...
Moon
3 months ago
A) Passing the certificate directly to the Docker client is a simple fix, but I'm not sure if it's the best long-term solution.
upvoted 0 times
...
Gladys
3 months ago
E) Seems like the most robust solution, trusting the certificate system-wide. But it might be overkill for just a Docker registry.
upvoted 0 times
Paola
2 months ago
E) Place the certificate in your OS certificate path, trust the certificate system-wide, and restart the Docker daemon across all cluster nodes.
upvoted 0 times
...
Mattie
2 months ago
C) Place the certificate in /etc/docker/certs.d/dtr.example.com/ca.crt' on all cluster nodes.
upvoted 0 times
...
Sonia
2 months ago
A) Pass '-trust-certificate ca.crt to the Docker client.
upvoted 0 times
...
...
Gabriele
3 months ago
C) Looks like the right answer to me. Placing the certificate in the correct directory on each node is the way to go.
upvoted 0 times
Val
2 months ago
C) Place the certificate in /etc/docker/certs.d/dtr.example.com/ca.crt' on all cluster nodes.
upvoted 0 times
...
Leonida
3 months ago
A) Pass '-trust-certificate ca.crt to the Docker client.
upvoted 0 times
...
...

Save Cancel