X509 parsing error, 'negative serial number

Our server access internet through a proxy. When I try to run a pull command such as

sudo docker run -t -i ubuntu:14.04 /bin/bash

I get the below error:

Get https://index.docker.io/v1/repositories/ubuntu/images: tls: failed to parse
    certificate from server: x509: negative serial number

The wget command wget -S -d -O - https://get.docker.io yields the below output:

Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = UTF-8' URI encoding =UTF-8' --2014-08-27 17:13:46-- https://get.docker.io/ Connecting to :... connected. Created socket 3. Releasing 0x00000000016829f0 (new refcount 0). Deleting unused 0x00000000016829f0.

---request begin--- CONNECT get.docker.io:443 HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Proxy-Authorization: Basic Y3RzXDMxMzMwMDpzd2VldGZlbC4yOQ==

---request end--- proxy responded with: [HTTP/1.1 200 Connection established Date: Wed, 27 Aug 2014 11:49:52 GMT Age: 0 Via: 1.0 xaahshshhds

] Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x00000000016831c0 certificate: subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany ERROR: cannot verify get.docker.io's certificate, issued by /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany': Unable to locally verify the issuer's authority. To connect to get.docker.io insecurely, use--no-check-certificate'. Closed 3/SSL 0x00000000016831c0

Please give me some directions on how I should go about this issue.

EDIT:

I ve now disabled the proxy for this IP segment but I still get the same error. The command: wget -S -d -O - https://get.docker.io gets the below output now:

Setting --output-document (outputdocument) to -
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
--2014-09-04 11:26:12--  https://get.docker.io/
Resolving get.docker.io (get.docker.io)... 162.242.195.77
Caching get.docker.io => 162.242.195.77
Connecting to get.docker.io (get.docker.io)|162.242.195.77|:443... connected.
Created socket 3.
Releasing 0x00000000022d8fd0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000022dabd0
certificate:
  subject: /serialNumber=exkd9EjUozUulWIyUDurQPMEPBLSc2Bq/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
  issuer:  /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
X509 certificate successfully verified and matches host get.docker.io

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: get.docker.io
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 503 Service Unavailable
Server: nginx/1.7.1
Date: Thu, 04 Sep 2014 06:03:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache

---response end---

  HTTP/1.1 503 Service Unavailable
  Server: nginx/1.7.1
  Date: Thu, 04 Sep 2014 06:03:28 GMT
  Content-Type: text/html
  Transfer-Encoding: chunked
  Connection: keep-alive
  Cache-Control: no-cache
Registered socket 3 for persistent reuse.
Skipping 108 bytes of body: [<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

] done.
2014-09-04 11:26:13 ERROR 503: Service Unavailable.

回答1:

subject: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=get.docker.io 
issuer: /emailAddress=aaa@bbbb.com/C=yy/ST=aa/L=xx/O=yy/OU=mycompany/CN=mycompany

It looks like the proxy in your company uses SSL interception to inspect SSL traffic, which means that you get a certificate signed by the proxy CA of your company instead of the original certificate. It also looks like that this proxy CA is not trusted by your system and thus the verification fails.

I would recommend that you contact your firewall administrator on how to deal with the problem. Either they will add an exception for the SSL inspection, or they will tell you which certificate you need to import as trusted in your system.

回答2:

This should be fixed for any Docker compiled with Go 1.6+, see: https://github.com/golang/go/commit/a0ea93dea5f5741addc8c96b7ed037d0e359e33f.