Skip to main content

Certificate errors (corporate proxy)

If you encounter an SSL/TLS error when trying to pull the image from docker, this may be caused by a corporate proxy on your local network. Popular corporate proxies include Zscaler Secure Internet Access (ZIA), FortiGate, Prisma Access and others. Examples of common errors caused by a corporate proxy:
  • x509: certificate signed by unknown authority
  • connection reset by peer
  • TLS handshake timeout
To fix the problem: Pull from a cloud VM that isn’t impacted by firewall inspection to circumvent the issue. Updating the certificates on your local PC is generally harder because you would need to obtain the custom CA.

Cached image is out of date

To fix the problem: Use the --pull flag with thedocker build command or --pull alwayswith docker run to force Docker to pull the latest image digest even if the version tag is the same. To force Docker to pull the image even if an image with the same tag already exists locally: 
docker run --pull always {image}
Explanation: Minimus images can potentially be rebuilt every day. As a result, the same image version tag may have numerous image digests. Many times, vulnerabilities fixes are delivered without the image version tag changing so it’s particularly important to always pull the most recent digest. See for example the Minimus digest-history for python version 3.13.5

Valid inline token returned unauthorized error

To fix the problem: Run docker logout reg.mini.dev to reset your access and try the pull command again. Explanation: Most likely, you previously authenticated with the docker login command and the token has since expired or been deleted. The token from the docker login command takes precedence over the inline token and this is causing the error.

Error logs not returned by grep

To fix the problem: Add 2>&1 flag to docker logs command. For example:
for 2>&1 flag
docker logs {container_name_or_ID} 2>&1 | grep "{search_term}"
Explanation: 2>&1 combines the standard error stream and output stream, so both are passed together to the pipe (|) and processed by grep.