I'm am running a private docker registry on ubuntu using S3 for storage. I'm having issues getting docker login/push/pull commands to work over SSL. I'm using Nginx in front of Gunicorn to run the registry. It works without any issues over HTTP, but after switching to HTTPS for a prod system, it throws the following error from the client docker login.
Invalid Registry endpoint: x509: certificate signed by unknown authority
I have purchased a rather cheap PositiveSSL certificate from Commodo to use for this. I have ensured the root CA and intermediate CA's are installed on the Ubuntu system running the registry. The following is my nginx configuration for the server
# Default nginx site to run the docker registry upstream docker-registry { server localhost:5000; } server { listen 443; server_name docker.ommited.net; ssl on; ssl_certificate /etc/ssl/docker-registry.crt; ssl_certificate_key /etc/ssl/docker-registry.key; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads location / { proxy_pass http://localhost:5000/; } }
I'm trying to figure out how to get docker to properly recognize the cert, or ignore the certificate warning. I'm running docker-registry version v0.7.3, the particular client I'm using is Docker version 1.1.2, build d84a070. on a side note, when visiting the registry in a browser, the cert is properly recognized. any help pointing me in the right direction would be greatly appreciated!
How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.
The error "x509: certificate signed by unknown authority" indicates that the backup is trying to connect to an S3 compatible endpoint, presenting an SSL certificate that a Certification Authority issued that the host does not trust.
So the solution to is simple – install the Root CA certificates on the server. That's it – now the error should be gone. If you don't know the root CA, open the URL that gives you the error in a browser (i.e. Chrome). Click the lock next to the URL and select Certificate (Valid).
Place your root certificate and intermediate (if you have one) in /usr/share/local/ca-certificates with the . crt extension. Run: sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
For cheap / lesser known certs like the COMODO or StartSSL ones, you need to add the entire certificate chain into the certificate file you are using with nginx. Many operating systems don't trust the intermediate CAs, just the root CA, so you need to fill in the missing steps between the certificate for your host and the root CA that is trusted by the OS.
In the e-mail you received your certificate with, you should also find links to the intermediate CAs and the root CA. Open the docker-registry.crt
file, scroll to the bottom, and append the intermediate CAs and, finally, the root CA certificate for the PositiveSSL chain. Once you've done that, restart nginx. You should now be good to go.
For RHEL hosts, you can add the CA cert to the PKI CA list on the client host:
cp docker-registry.crt /etc/pki/ca-trust/source/anchors/docker-registry.crt
update-ca-trust
systemctl restart docker
From https://www.happyassassin.net/2014/09/06/adding-your-freeipa-servers-ca-certificate-to-the-system-wide-trust-store-on-fedora-and-rhel/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With