Menu
I want to configure a local docker registry with self-signed certificate which i will be using inside my local network. I'm following instruction from docker manual [1, 2], but nevertheless run into errors.
Precisely, my problem is following. I create a self signed certificate on the local registry machine:
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt \
-subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=openmpi-dockerregistry.local"
I put this certificate into /etc/docker/certs.d/openmpi-dockerregistry:443/ca.crt on each of the local machines.
Then I start registry and push an image there. Since I do not have DNS configured inside my network, I just put an entry into /etc/hosts.
Next I try to pull the image on the local machine, but this operation fails:
$ docker run -it openmpi-dockerregistry.local:443/hello-world
Unable to find image 'openmpi-dockerregistry.local:443/hello-world:latest' locally
docker: Error response from daemon: Get https://openmpi-dockerregistry.local:443/v2/: x509: certificate is not valid for any names, but wanted to match openmpi-dockerregistry.local.
See 'docker run --help'.
I'm very suspicious about message "x509: certificate is not valid for any names", which sounds that I did not specify CN correctly, but reading the certificate indicates the opposite (full output):
$ openssl x509 -text -noout -in certs/domain.crt
....
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Oregon, L = Portland, O = Company Name, OU = Org, CN = openmpi-dockerregistry.local
....
Another option which I tried is to access the register directly by IP. I followed a manual[3] and added IP SAN to the certificate. Additionally I also set CN=*. So that the resulting certificate now contains following (full):
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:<ip address>
But now when I try to pull the image I get following error message:
$ docker run -it <ip>:443/hello-world
Unable to find image '<ip>:443/hello-world:latest' locally
docker: Error response from daemon: Get https://<ip>:443/v2/: x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs.
See 'docker run --help'
Although the file /etc/docker/certs.d/<ip>:443/ca.crt contains the IP address.
Could you help me to find a way to pull images from local registry?
Update
How do I start docker registry?
$ docker run -d \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:$REGISTRY_PORT \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p $REGISTRY_PORT:$REGISTRY_PORT \
--restart=always \
--name registry \
registry:2
619
In a typical setup where you run your Registry from the official image, you can specify a configuration variable from the environment by passing -e arguments to your docker run stanza or from within a Dockerfile using the ENV instruction. This variable overrides the /var/lib/registry value to the /somewhere directory.
I think the problem is that you didn't copy the certificate and key in the /etc/docker/certs.d/ folder.
The folder should look like this:
/etc/docker/certs.d/
└── openmpi-dockerregistry.local:443
├── client.cert
├── client.key
└── ca.crt
In my case I had no ca.crt and it worked fine.
Reference: https://docs.docker.com/engine/security/certificates/
I implemented your setup on my machine, everything worked fine after I copied domain.key and domain.crt (and renamed them) in the /etc/docker/certs.d folder. The only difference was that I used openmpi-dockerregistry as a domain instead of openmpi-dockerregistry.local
105
You need to edit your /etc/ssl/openssl.cnf to have the FQDN (openmpi-dockerregistry.local) and the IP address in the IP SANs list. Add as follows:
[ v3_ca ]
# Extensions for a typical CA
subjectAltName = @alt_names
[ alt_names ]
IP.1 = <IP>
DNS.1 = openmpi-dockerregistry.local
Now generate the cert using the following command:
openssl req -config /etc/ssl/openssl.cnf \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt \
-subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=openmpi-dockerregistry.local"
Check whether the cert has the IP and the DNS in the IP SANs list with this command:
openssl x509 -in domain.crt -text -noout
You should see something like this in the output if all went right:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:<IP>, DNS:openmpi-dockerregistry.local
Now copy this cert in the client docker certs directory in the following location:
/etc/docker/certs.d/openmpi-dockerregistry.local/ca.crt
You should be good now.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
