Skip to content

CRI-O Registry Configuration Error — Quick Fix

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about CRI. We cover key concepts, practical examples, and best practices.

The Problem

Pulling container images with CRI-O fails due to registry configuration errors. Images from certain registries cannot be resolved, insecure registries are blocked, or TLS certificate verification fails. CRI-O's registry configuration differs from containerd and Docker.

Error example:

Error: initializing source: pinging container registry registry.example.com: 
Get "https://registry.example.com/v2/": x509: certificate signed by unknown authority
Error: image not found: registry.example.com/app:latest

The Fix

Step 1: Configure registry mirrors in CRI-O

WRONG — applying Docker daemon registry config to CRI-O:

# CRI-O uses its own configuration format

RIGHT — edit CRI-O's registries.conf:

cat /etc/containers/registries.conf

Add or modify the registry configuration:

[[registry]]
location = "registry.example.com"
insecure = false
blocked = false

[[registry.mirror]]
location = "mirror.example.com"

Step 2: Add trusted CA certificates

WRONG — setting insecure=true for all registries:

# insecure bypasses TLS verification and is not recommended

RIGHT — add the self-signed CA certificate:

# Copy the CA certificate
cp my-ca.crt /etc/containers/certs.d/registry.example.com/ca.crt

# Restart CRI-O
systemctl restart crio

Use DodaTech's Registry Configuration Validator to check CRI-O registry settings, TLS certificate chains, and mirror configurations.

Prevention Tips

  • Use the search-by-ping method for registry auto-discovery: [[registry]] location = "registry.example.com" insecure = false
  • Add CA certificates to the correct path: /etc/containers/certs.d/<registry>/ca.crt
  • Configure mirrors for high-availability registry access
  • Test registry configuration with crictl pull registry.example.com/test-image:latest
  • Use DodaTech's CRI-O Config Auditor for automated configuration validation

Common Mistakes with o registry error

  1. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  2. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  3. Using head and tail instead of pattern matching, causing runtime errors on empty lists

These mistakes appear frequently in real-world CRI code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is the difference between CRI-O's registries.conf and Docker's daemon.json?

CRI-O uses the containers/image library format, which is a TOML configuration file at /etc/containers/registries.conf. Docker uses JSON at /etc/docker/daemon.json. The two are not interchangeable — CRI-O does not read Docker's daemon.json for registry configuration.

How do I use an insecure registry with CRI-O?

Set insecure = true in the registry block: [[registry]] location = "insecure-registry.example.com:5000" insecure = true. Only use this for testing or internal registries without TLS.

Why does CRI-O still fail after configuring the registry?

Check that the crio service has been restarted after configuration changes. Also verify that the registry is reachable from the node with curl -v https://registry.example.com/v2/. Firewall rules or DNS issues can cause pull failures even with correct CRI-O configuration.

Related: DodaTech's Container Registry Migration Guide covers transitioning between Docker, containerd, and CRI-O registry configurations.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro