🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: CentOS Stream 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Pods on a CentOS Stream 10 node stay in ImagePullBackOff with x509 errors.

Environment & Reproduction

Custom CA registry without the CA installed in the node trust store.

crictl version
crictl info | head

Root Cause Analysis

cri-o uses the system trust store; missing CA = TLS handshake failure.

Quick Triage

Verify the registry TLS handshake from the node.

openssl s_client -connect registry.internal:5000 -showcerts < /dev/null | head

Step-by-Step Diagnosis

Inspect cri-o logs and registries config.

journalctl -u crio -n 200 --no-pager
cat /etc/containers/registries.conf.d/*
Illustrative mockup for centos-stream-10 — crio_imagepull_err
ImagePullBackOff with x509 — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Install the internal CA into the system trust and restart cri-o.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

cp internal-ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
systemctl restart crio
Illustrative mockup for centos-stream-10 — crio_imagepull_ok
Pull succeeds — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Mark the registry as insecure if TLS is not feasible.

echo -e '[[registry]]
location = "registry.internal:5000"
insecure = true' >> /etc/containers/registries.conf.d/internal.conf
systemctl restart crio

Verification & Acceptance Criteria

Pods successfully pull images from the registry.

crictl pull registry.internal:5000/app:latest

Rollback Plan

Remove the CA or insecure override.

rm /etc/pki/ca-trust/source/anchors/internal-ca.crt && update-ca-trust && systemctl restart crio

Prevention & Hardening

Distribute CAs via config management and audit on join.

ansible -m copy -a 'src=internal-ca.crt dest=/etc/pki/ca-trust/source/anchors/' nodes

x509 unknown authority, ImagePullBackOff, registry TLS errors.

Related tutorial: View the step-by-step tutorial for centos-stream-10.

View all centos-stream-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

cri-o registry docs, podman trust store notes.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.