A no-nonsense, rage-fueled step-by-step for making Podman respect a custom TLS certificate chain (e.g. a corporate MITM cert) when pulling images from remote registries like quay.io.
What You Have For An Environment (Hopefully)
- Podman installed on Windows
-
Podman VM (Fedora CoreOS), managed via
podman machine, does all the container work - WSL (Windows Subsystem for Linux) is used as the main CLI environment
- Podman socket is exposed from the VM into WSL using the official guide
When to Use WSL Socket Sharing
See: https://podman-desktop.io/docs/podman/accessing-podman-from-another-wsl-instance
Basically, you should always use the guide.
If you install Podman Desktop, it enables the WSL2 feature and creates its own WSL-integrated Podman VM. However, it does not automatically configure Podman access for other WSL distributions.
You should use the guide if:
- (a) You already have WSL2 enabled with the default Ubuntu distro
- (b) You already have WSL2 enabled with different or additional distros
- (c) You plan to add Ubuntu or other distros later
Manually linking the Podman socket ensures consistent, predictable behavior across any distro you use — now or in the future.
The Problem
Error: tls: failed to verify certificate: x509: certificate signed by unknown authority
This occurs when:
- Your corporate network intercepts TLS and re-signs certs with the corporate CA
- Podman VM doesn't trust the CA used to sign registry certs (like
quay.io)
What To Do When You're in Cert Hell
Don't throw your laptop off the roof of your RTO-mandated office space.
Instead:
1. Get the Certificate Chain from WSL
openssl s_client -showcerts -connect quay.io:443 </dev/null \
| awk '/-----BEGIN/,/-----END/' > quay.crt
- Make sure
quay.crtcontains full PEM blocks (starts with-----BEGIN CERTIFICATE-----)
2. Copy the Cert into the VM and Windows (Optional)
From WSL:
# Optional backup to Windows
cp quay.crt /mnt/c/Users/<your-user>/Downloads/
# Upload cert to Podman VM
scp -i ~/.podman-keys/podman-vm-key -P <VM_PORT> quay.crt user@127.0.0.1:/tmp/
- If the key is too permissive (
0777), do:
chmod 600 ~/.podman-keys/podman-vm-key
IMPORTANT: Having the cert in both WSL and Windows makes it easier to keep systems in parity if something resets or changes.
3. Install Cert into Windows Trusted Root Store
- Run
certmgr.mscas Administrator - Go to Trusted Root Certification Authorities > Certificates
- Import
quay.crt
This helps keep Windows in parity with WSL and podman machine.
4. Inject the Cert into the Podman VM
ssh -i ~/.podman-keys/podman-vm-key -p <VM_PORT> user@127.0.0.1
Inside the VM:
sudo mkdir -p /etc/containers/certs.d/quay.io
sudo mv /tmp/quay.crt /etc/containers/certs.d/quay.io/ca.crt
But wait. How the hell do we know what the port the podman machine is running on?
5. Finding the Podman VM Port
Run this from Windows:
podman system connection list
Look for:
Name: podman-machine-default
URI: ssh://user@127.0.0.1:49259/run/user/1000/podman/podman.sock
Identity: C:\Users\you\.local\share\containers\podman\machine
Use this info to:
- SSH into the VM
- SCP cert files in
- Configure
podman-remote
6. Reboot the Podman VM
podman machine stop
podman machine start
This flushes any old TLS trust and reinitializes the system.
IMPORTANT: The
podman machineis very likely to change port.
7. Final Test: From WSL
podman run quay.io/podman/hello
If this works: You are free.
If not: SSH back in and verify the cert file:
head /etc/containers/certs.d/quay.io/ca.crt
Where the Cert Matters (and Doesn't)
| Location | Does It Matter? |
|---|---|
| Windows certmgr.msc | No, not used by Podman VM |
WSL /etc/containers/certs.d
|
No, WSL is just a thin client (but good for parity/backup) |
Podman VM /etc/containers/certs.d
|
YES |
Recap Checklist
- [x] Pulled cert from WSL using
openssl - [x] Copied cert to Podman VM via
scp - [x] Installed cert in
/etc/containers/certs.d/quay.io/ca.crtinside the VM - [x] Restarted Podman VM
- [x] Confirmed
podman run quay.io/podman/helloworks from WSL
You are now a Certified Cert Slayer™.
Burn this page into your soul and never fear x509 again.
Top comments (0)