https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257185#M1202 <P>Are you sure the Harmony SASE CA was correctly added to the trusted CA list of the system?</P> <P>You can also create bypass rules for programs. In linux that would be /usr/bin/dockerd and /usr/bin/docker-proxy. In Windows, that's probably "Docker Desktop.exe", but I have not tested this one.</P> Fri, 12 Sep 2025 16:20:55 GMT Pedro_Espindola 2025-09-12T16:20:55Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257079#M1187 <P>Hello Team ,&nbsp;<BR /><BR />&nbsp;when trying to fetch from docker we are receiveing the following error :<BR /><BR /><SPAN>"failed to solve: php:8.1-apache-bullseye: failed to resolve source metadata for&nbsp;</SPAN><A class="" href="http://docker.io/library/php:8.1-apache-bullseye" target="_blank" rel="noopener noreferrer">docker.io/library/php:8.1-apache-bullseye</A><SPAN>: failed to do request: Head "r</SPAN><A class="" href="https://registry-1.docker.io/v2/library/php/manifests/8.1-apache-bullseye" target="_blank" rel="noopener noreferrer">egistry-1.docker.io/v2/library/php/manifests/8.1-apache-bullseye</A><STRONG>": tls: failed to verify certificate: x509: certificate signed by unknown authority"</STRONG></P><P>&nbsp;</P><P>I noticed that nothing appears in the logs. To make it work, I had to create a bypass rule for the following Docker-related domains:</P><UL><LI><P>registry-1.docker.io</P></LI><LI><P>auth.docker.io</P></LI><LI><P>production.cloudflare.docker.com</P></LI></UL><P>Could you please advise:</P><OL><LI><P>Are there best practices we can apply to avoid this issue in the future (e.g., handling TLS inspection with Docker Hub traffic)?</P></LI><LI><P>Why doesn’t this behavior appear in the logs, and is there a way to improve visibility for similar cases?</P></LI></OL><P>Thanks in advance for your guidance.</P><P>&nbsp;</P> Thu, 11 Sep 2025 05:13:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257079#M1187 Geomix7 2025-09-11T05:13:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257081#M1188 <P>I would suggest to open SR# with CP TAC !</P> Thu, 11 Sep 2025 07:02:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257081#M1188 G_W_Albrecht 2025-09-11T07:02:27Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257108#M1192 <P>Not sure if Docker has a mechanism to update the Trusted CAs (needed for HTTPS Inspection to work) or if they implement Certificate Pinning (in which case, HTTPS Inspection won't work and you will need to bypass as you've done).</P> Thu, 11 Sep 2025 14:53:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257108#M1192 PhoneBoy 2025-09-11T14:53:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257185#M1202 <P>Are you sure the Harmony SASE CA was correctly added to the trusted CA list of the system?</P> <P>You can also create bypass rules for programs. In linux that would be /usr/bin/dockerd and /usr/bin/docker-proxy. In Windows, that's probably "Docker Desktop.exe", but I have not tested this one.</P> Fri, 12 Sep 2025 16:20:55 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Harmony-SASE-Issue-with-Docker-Pulls-TLS-Certificate-Error/m-p/257185#M1202 Pedro_Espindola 2025-09-12T16:20:55Z