Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
494 questions
Pulling docker image from ACR: certificate is valid for northeurope, but not westeurope
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 99%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Charles Lindberg
0
Reputation points
I want to, in an Azure DevOps pipeline, pull a container image from an Azure Container Registry.
We have an two Azure Container Registries, one for test and one for prod. They are both configured to use a private endpoint connection, and they are both located in west Europe. The only difference between test and prod, as far as I know, is that the production one is set up to use geo-replication with west & north Europe configured.
It works fine in test, but fails when I try doing the same thing for the prod container registry. Here's the error message I'm getting:
2025-04-08T08:36:30Z FATAL Fatal error image scan error: scan error: scan failed: failed analysis: unable to get the image ID: unable to get the image ID: Get "https://theregistry.westeurope.data.azurecr.io?c=REDACTED&d=REDACTED&h=REDACTED&l=REDACTED&p=REDACTED&r=REDACTED&s=REDACTED&t=REDACTED&v=REDACTED": tls: failed to verify certificate: x509: certificate is valid for *.northeurope.data.azurecr.io, *.azurecr.io, *.data.azurecr.io, not theregistry.westeurope.data.azurecr.io
The mention of north europe, and the fact that it works in test, leads me to believe it has to do with the geo-replication. But I have no clue what to do to make it work for the prod ACR.
Here's how I login:
task: Docker@2
displayName: Login to ACR
inputs:
command: login
containerRegistry: "Container Registry Service Connection Name"
And here's the pulling:
- task: Bash@3
displayName: Pulling docker image
inputs:
targetType: inline
script: |
docker pull theregistry.azurecr.io/theimage:latest
Any ideas?
Thanks
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Markapuram Sudheer Reddy 1,665 Reputation points Microsoft External Staff2025-04-08T20:44:21.4+00:00 Hi Charles Lindberg,
For every push or pull image operation on a geo-replicated registry, Azure Traffic Manager in the background sends a request to the registry's closest location in the region to maintain network latency.
Ensure that DNS resolution and private endpoints are correctly set up for all geo-replicated regions.
Make sure that your private DNS zone (privatelink.azurecr.io) includes records for all geo-replicated regions.
Try to inspect the current certificate and verify which domains it covers by using OpenSSL and update the certificate to include domain if not present in certificate.
If you followed any workarounds and facing issue, please share complete details to better investigate further.
Please check below documentation for more information,
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-geo-replication
Sign in to comment
Sign in to answer