Setting up a Docker registry with Letsencrypt certificate

Question

I'm setting up a domain registry as described here:

https://docs.docker.com/registry/deploying/

I generated a certificate for docker.mydomain.com and started the docker using their command on my server:

docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

I've started the docker and pointed to certificates I obtained using letsencrypt (https://letsencrypt.org/).

Now, when I browse to https://docker.mydomain.com:5000/v2/ I will get a page with just '{}', with a green lock (succesful secure page request).

But when I try to do a docker login docker.mydomain.com:5000 from a different server I see a error in the registry docker:

 TLS handshake error from xxx.xxx.xxx.xxx:51773: remote error: bad certificate

I've tried some different variations in setting up the certificates, and gotten errors like:

remote error: unknown certificate authority

and

 tls: first record does not look like a TLS handshake

What am I missing?

Answer 1

Docker seams to not support SNI : https://github.com/docker/docker/issues/9969

Update : Docker now should support SNI.

It's mean, when connecting to your server during the tls transaction, the docker client do not specify the domain name, so your server show the default certificate.

The solution could be to change to default certificate of your server to be to one valid for the docker domain.

This site works only in browsers with SNI support.

To check if your (sub-)domain works with clients not SNI-aware, you can use ssllabs.com/ssltest : If you DONT see the message, "This site works only in browsers with SNI support. " then it will works.