Surviving Certificate Hell with Podman, WSL, and Windows

A no-nonsense, rage-fueled step-by-step for making Podman respect a custom TLS certificate chain (e.g. a corporate MITM cert) when pulling images from remote registries like quay.io.

What You Have For An Environment (Hopefully)

• Podman installed on Windows
• Podman VM (Fedora CoreOS), managed via podman machine, does all the container work
• WSL (Windows Subsystem for Linux) is used as the main CLI environment
• Podman socket is exposed from the VM into WSL using the official guide

When to Use WSL Socket Sharing

See: https://podman-desktop.io/docs/podman/accessing-podman-from-another-wsl-instance

Basically, you should always use the guide.

If you install Podman Desktop, it enables the WSL2 feature and creates its own WSL-integrated Podman VM. However, it does not automatically configure Podman access for other WSL distributions.

You should use the guide if:

• (a) You already have WSL2 enabled with the default Ubuntu distro
• (b) You already have WSL2 enabled with different or additional distros
• (c) You plan to add Ubuntu or other distros later

Manually linking the Podman socket ensures consistent, predictable behavior across any distro you use — now or in the future.

The Problem

Error: tls: failed to verify certificate: x509: certificate signed by unknown authority

This occurs when:

• Your corporate network intercepts TLS and re-signs certs with the corporate CA
• Podman VM doesn't trust the CA used to sign registry certs (like quay.io)

What To Do When You're in Cert Hell

Don't throw your laptop off the roof of your RTO-mandated office space.

Instead:

1. Get the Certificate Chain from WSL

openssl s_client -showcerts -connect quay.io:443 </dev/null \
  | awk '/-----BEGIN/,/-----END/' > quay.crt

• Make sure quay.crt contains full PEM blocks (starts with -----BEGIN CERTIFICATE-----)

2. Copy the Cert into the VM and Windows (Optional)

From WSL:

# Optional backup to Windows
cp quay.crt /mnt/c/Users/<your-user>/Downloads/

# Upload cert to Podman VM
scp -i ~/.podman-keys/podman-vm-key -P <VM_PORT> quay.crt [email protected]:/tmp/

• If the key is too permissive (0777), do:

  chmod 600 ~/.podman-keys/podman-vm-key

IMPORTANT: Having the cert in both WSL and Windows makes it easier to keep systems in parity if something resets or changes.

3. Install Cert into Windows Trusted Root Store

• Run certmgr.msc as Administrator
• Go to Trusted Root Certification Authorities > Certificates
• Import quay.crt

This helps keep Windows in parity with WSL and podman machine.

4. Inject the Cert into the Podman VM

ssh -i ~/.podman-keys/podman-vm-key -p <VM_PORT> [email protected]

Inside the VM:

sudo mkdir -p /etc/containers/certs.d/quay.io
sudo mv /tmp/quay.crt /etc/containers/certs.d/quay.io/ca.crt

But wait. How the hell do we know what the port the podman machine is running on?

5. Finding the Podman VM Port

Run this from Windows:

podman system connection list

Look for:

Name: podman-machine-default
URI: ssh://[email protected]:49259/run/user/1000/podman/podman.sock
Identity: C:\Users\you\.local\share\containers\podman\machine

Use this info to:

• SSH into the VM
• SCP cert files in
• Configure podman-remote

6. Reboot the Podman VM

podman machine stop
podman machine start

This flushes any old TLS trust and reinitializes the system.

IMPORTANT: The podman machine is very likely to change port.

7. Final Test: From WSL

podman run quay.io/podman/hello

If this works: You are free.
If not: SSH back in and verify the cert file:

head /etc/containers/certs.d/quay.io/ca.crt

Where the Cert Matters (and Doesn't)

Recap Checklist

• [x] Pulled cert from WSL using openssl
• [x] Copied cert to Podman VM via scp
• [x] Installed cert in /etc/containers/certs.d/quay.io/ca.crt inside the VM
• [x] Restarted Podman VM
• [x] Confirmed podman run quay.io/podman/hello works from WSL

You are now a Certified Cert Slayer™.
Burn this page into your soul and never fear x509 again.