Hi , I am trying to arrange access to a secure registry from another machine. I have a docker-compose file which looks like this which I use to start the registry
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CA_CERTIFICATE: /certs/ca-bztest.crt
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/vmbz001.crt
REGISTRY_HTTP_TLS_KEY: /certs/vmbz001.pem
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- /DockerRegistry/data:/var/lib/registry
- /DockerDownload/certs:/certs
- /DockerDownload/auth:/auth
It listens on port 5000 and has pub/priv key set of which the pub key (vmbz001.crt) is signed with the ca-bztest.crt file. This all runs on Red Hat OS 7. I have generated a new htpasswd file which now contains a user/password combination that I know and which works. I have no clue what further settings are done on OS level since I inherited this setup. From the same machine where the registry server runs I can do a sudo docker login servername:5000 which asks me for the combination from the htpasswd file and subsequently says that login succeeded. Trying to do a browse of the catalog (with curl) however fails. Also access to the registry from another machine where I want to do a pull of an image fails for the same reason it seems. It is unclear to me what is needed on the client side to be able to access the registry and I don’t want to go the route of declaring the registry insecure. The message I am getting is : Error response from daemon: Get https://“servername”:5/v1/users/: x509: certificate specifies an incompatible key usage
I initially got the following message : Error response from daemon: Get https://“servername”:5000/v1/users/: x509: certificate signed by unknown authority
which I was able to solve by copying the ca-bztest.crt into the /etc/docker/certs.d directory on the client side . I have also tried adding a generated client prv/pub keyset to this directory but it didn’t solve anything