The instructions for private registries with self signed certs state when logging in:
FATA[0005] Error response from daemon: v1 ping attempt failed with error: Get https://registry:8443/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry registry:8443
to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry:8443/ca.crt
I tried that but got another error about the IP not being in the subject. So I fixed that error and now get:
FATA[0006] Error response from daemon: Server Error: Post https://registry:8443/v1/users/: x509: certificate signed by unknown authority
Where registry is the IP of the registry.
I then placed "--insecure-registry registry:8443" in /etc/default/docker and restarted the daemon
I've verified it's taken the setting.
root 6865 1 0 12:47 ? 00:00:00 /usr/bin/docker -d --insecure-registry registry:8443
But docker login still produces this error:
FATA[0006] Error response from daemon: Server Error: Post https://registry:8443/v1/users/: x509: certificate signed by unknown authority
Does insecure-registry work differently than I thought and how do I get around it?
And yes, I need HTTPS. It's a private registry but on a public IP. Is the only way forward to create a proper DNS entry with a real cert?
The Docker runtime establishes trust of a remote image registry based on the validity of its Transport Layer Security (TLS) certificate. If your cluster uses a self-signed certificate, Docker will consider it “insecure” by default.
Pull from a different registry A registry path is similar to a URL, but does not contain a protocol specifier ( https:// ). Registry credentials are managed by docker login. Docker uses the https:// protocol to communicate with a registry, unless the registry is allowed to be accessed over an insecure connection.
There are a number of ways to configure the daemon flags and environment variables for your Docker daemon. The recommended way is to use the platform-independent daemon.json
file, which is located in /etc/docker/
on Linux by default.
So, for configuring insecure registries, do the following:
Set the following flag in the daemon.json
file:
{
"insecure-registries": ["registry:8443"]
}
Restart Docker
$ sudo systemctl restart docker
That's it!
YES! I've found the problem!
You need to fix /etc/systemd/system/multi-user.target.wants/docker.service
. Currently it doesn't take $OPTIONS into consideration when starting docker. So mine now looks like this:
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
#The line below was missing $OPTIONS at the end!!!
ExecStart=/usr/bin/docker -d -H fd:// $OPTIONS
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
[Install]
WantedBy=multi-user.target
After that do the usual:
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
and everything works now.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With