I am using ZimaOS in Ireland and I’ve noticed that the system frequently defaults to certain registry mirrors, even after manual attempts to clear the configuration.
Occasionally, when pulling images through the UI or terminal, the Docker daemon attempts to connect via mirrors like ghcr.1panel.live or daocloud.io. This leads to SSL/TLS handshake failures:
tls: failed to verify certificate: x509: certificate signed by unknown authority.
This seems to happen with various images and disrupts the installation process. It appears these mirrors have expired or invalid certificates for users connecting from Europe, where a direct connection to official registries is much more reliable.
Could the developers provide a way to permanently disable these mirrors for users in regions where they are not needed? Ideally, the system should respect a “direct connection” policy to official registries (ghcr.io and Docker Hub) to avoid these certificate conflicts.
This isn’t a connectivity issue — it’s Docker being forced to use registry mirrors with invalid TLS certificates. When the mirror fails certificate validation, Docker aborts the pull instead of falling back to the official registry.
For users in Europe, these mirrors are unnecessary and are actively breaking image pulls.
There should be a way to permanently disable mirrors and enforce direct connections to Docker Hub and ghcr.io. A simple “Use Official Registries Only” option would resolve this cleanly.
That confirms it, this is mirror-side restriction, not a local network issue.
If the response literally says “service is only available for mainland China” and you’re also seeing expired/invalid certificates, then those mirrors should not be applied globally.
For EU users, they’re causing hard failures instead of improving reliability.
Agree, this is easily solved with a simple setting to disable mirrors and force direct pulls from official registries. That would eliminate both the regional block and the TLS errors cleanly.
ZimaOS will first try to pull the image through docker hub when pulling the image, and will try to use the proxy to retrieve it only when the pull fails
