ImagePullBackOff due to lack of node-client-ca.crt

Solution Verified - Updated -


  • OpenShift Container Platform
    • 3.10


Failed to pull image "docker-registry.default.svc:5000": rpc error: code = Unknown desc = open /etc/docker/certs.d/docker-registry.default.svc:5000/node-client-ca.crt: no such file or directory


  • Recreate the symlink that exists between the node certificate (created when atomic-openshift-node is started), and the docker certificate:
# ln -s /etc/origin/node/node-client-ca.crt /etc/docker/certs.d/docker-registry.default.svc:5000/node-client-ca.crt
  • Restart node services:
# systemctl restart docker
# systemctl restart atomic-openshift-node
  • If the node certificate does not exist in /etc/origin/node/node-client-ca.crt, you will need to follow the steps in this KCS, which deals with a missing bootstrap kubeconfig.

Root Cause

  • The symbolic link allows the docker pull to reference the node certificate located in /etc/origin/node/node-client-ca.crt. Without it, the pull will not trust the registry.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.