Redhat registry error

Andrew_Meyer1 · August 26, 2025, 6:35pm

I’m trying to use podman to download containers and i’m getting the following errors:

2025-08-26 09:40:55,552-0500 WARN  [qtp1465691120-24]  *UNKNOWN org.sonatype.nexus.repository.docker.internal.datastore.recipe.DockerProxyFacetImpl - Exception org.sonatype.nexus.repository.proxy.BypassHttpErrorException checking remote for update, proxy repo DockerHub failed to fetch v2/rancher/mirrored-pause/blobs/sha256:6270bb605e12e581514ada5fd5b3216f727db55dc87d5889c790e4c760683fee, content not in cache.
2025-08-26 09:41:34,376-0500 INFO  [qtp1465691120-101]  *UNKNOWN org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for registry_redhat_io changed from READY to AVAILABLE - reason n/a for n/a
2025-08-26 09:41:35,298-0500 INFO  [qtp1465691120-101]  *UNKNOWN org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for registry_redhat_io changed from AVAILABLE to UNAVAILABLE - reason javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target for https://registry.redhat.io
2025-08-26 09:41:35,299-0500 WARN  [qtp1465691120-101]  *UNKNOWN org.sonatype.nexus.repository.docker.internal.datastore.recipe.DockerProxyFacetImpl - Exception javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target checking remote for update, proxy repo registry_redhat_io failed to fetch v2/rhel9/nginx-120/blobs/sha256:81bbc99649880ff97cf59c50ec42d7e9ecd76a5042d4b03999f98745ddf272f0, content not in cache.
2025-08-26 09:44:01,685-0500 INFO  [qtp1465691120-99]  admin org.sonatype.nexus.rapture.internal.security.SessionServlet - Created session for user: admin
2025-08-26 09:44:42,575-0500 INFO  [qtp1465691120-23]  *UNKNOWN org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for registry_redhat_io changed from UNAVAILABLE to AVAILABLE - reason n/a for n/a
2025-08-26 09:44:42,782-0500 INFO  [qtp1465691120-23]  *UNKNOWN org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for registry_redhat_io changed from AVAILABLE to UNAVAILABLE - reason javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target for https://registry.redhat.io
2025-08-26 09:44:42,782-0500 WARN  [qtp1465691120-23]  *UNKNOWN org.sonatype.nexus.repository.docker.internal.datastore.recipe.DockerProxyFacetImpl - Exception javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target checking remote for update, proxy repo registry_redhat_io failed to fetch v2/rhel9/nginx-120/blobs/sha256:81bbc99649880ff97cf59c50ec42d7e9ecd76a5042d4b03999f98745ddf272f0, content not in cache.

DEBU[0000] Trying to access "nexus.example.com:9093/rhel9/nginx-120:latest"
DEBU[0000] No credentials matching nexus.example.com:9093/rhel9/nginx-120 found in /run/user/1600/containers/auth.json
DEBU[0000] No credentials matching nexus.example.com:9093/rhel9/nginx-120 found in /opt/aap/.config/containers/auth.json
DEBU[0000] No credentials matching nexus.example.com:9093/rhel9/nginx-120 found in /opt/aap/.docker/config.json
DEBU[0000] No credentials matching nexus.example.com:9093/rhel9/nginx-120 found in /opt/aap/.dockercfg
DEBU[0000] No credentials for nexus.example.com:9093/rhel9/nginx-120 found
DEBU[0000]  No signature storage configuration found for nexus.example.com:9093/rhel9/nginx-120:latest, using built-in default file:///opt/aap/.local/share/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/nexus.example.com:9093
DEBU[0000] GET https://nexus.example.com:9093/v2/
DEBU[0000] Ping https://nexus.example.com:9093/v2/ err Get "https://nexus.example.com:9093/v2/": http: server gave HTTP response to HTTPS client (&url.Error{Op:"Get", URL:"https://nexus.example.com:9093/v2/", Err:(*errors.errorString)(0x55f4d5181c20)})
DEBU[0000] GET http://nexus.example.com:9093/v2/
DEBU[0000] Ping http://nexus.example.com:9093/v2/ status 401
DEBU[0000] GET http://nexus.example.com:9093/v2/rhel9/nginx-120/manifests/latest
DEBU[0000] Content-Type from manifest GET is "application/vnd.oci.image.index.v1+json"
DEBU[0000] Using SQLite blob info cache at /opt/aap/.local/share/containers/cache/blob-info-cache-v1.sqlite
DEBU[0000] Source is a manifest list; copying (only) instance sha256:ee6f8f937bc726fd714dde00f25e515ba9e2726d364e5f8764a853c25a1762dd for current system
DEBU[0000] GET http://nexus.example.com:9093/v2/rhel9/nginx-120/manifests/sha256:ee6f8f937bc726fd714dde00f25e515ba9e2726d364e5f8764a853c25a1762dd
DEBU[0000] Content-Type from manifest GET is "application/vnd.oci.image.manifest.v1+json"
DEBU[0000] IsRunningImageAllowed for image docker:nexus.example.com:9093/rhel9/nginx-120:latest
DEBU[0000]  Using default policy section
DEBU[0000]  Requirement 0: allowed
DEBU[0000] Overall: allowed
DEBU[0000] Downloading /v2/rhel9/nginx-120/blobs/sha256:81bbc99649880ff97cf59c50ec42d7e9ecd76a5042d4b03999f98745ddf272f0
DEBU[0000] GET http://nexus.example.com:9093/v2/rhel9/nginx-120/blobs/sha256:81bbc99649880ff97cf59c50ec42d7e9ecd76a5042d4b03999f98745ddf272f0
DEBU[0000] Error pulling candidate nexus.example.com:9093/rhel9/nginx-120:latest: copying system image from manifest list: parsing image configuration: fetching blob: received unexpected HTTP status: 502 Bad Gateway
Error: copying system image from manifest list: parsing image configuration: fetching blob: received unexpected HTTP status: 502 Bad Gateway
DEBU[0000] Shutting down engines
INFO[0000] Received shutdown.Stop(), terminating!        PID=876343

mpiggott · August 26, 2025, 6:47pm

This error indicates that there is a TLS certificate validation problem between Nexus and the remote registry. Try the Outbound SSL section of the help documentation - Configuring SSL

Andrew_Meyer1 · August 26, 2025, 7:00pm

I have added the SSL certificate to the SSL truststore in the nexus web ui. So it is in there globally.

mpiggott · August 26, 2025, 7:52pm

Does the RedHat registry expect client certificate authentication? That is only other thing I can think of if that outbound certificate isn’t sufficient.

Andrew_Meyer1 · August 26, 2025, 7:53pm

It does not.

Andrew_Meyer1 · August 26, 2025, 8:57pm

So in my homelab I gave all anonymous users admin privs. In my enterprise env I can’t do that even I probably could. But I’m creating a new user to be used as the anonymous user. I’m trying to give that user all the read and browse privileges. IS this all I need to do to allow for reading the SSL certs?

Andrew_Meyer1 · August 26, 2025, 8:58pm

Something else to note, this works just fine for using pypi. I have no issues.